registry  /  express-ini  /  12.1.10

express-ini@12.1.10

```bash npm install ```

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10505 confirms this npm version as malicious. package.json declares postinstall=`node index.js`. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals)...

Advisory
MAL-2026-10505
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-ini (npm)
Details
package.json declares postinstall=`node index.js`. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals). At install time the script imports fs, os, path, crypto, child_process and a network module, installs silent uncaughtException/unhandledRejection handlers to suppress errors, performs a remote lookup, splits the response on ':', base64-decodes it, AES-decrypts it via crypto.createDecipheriv, writes the decrypted bytes to a file under process.cwd(), and executes it via child_process.execSync with windowsHide:true. The package name suggests an Express.js utility and the README describes an unrelated 'Safe Wrapper Module', but the only shipped code is the dropper — the name and README are cover for install-time remote code execution against the installer's machine.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 23.0 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1function c(b,d){b=b-(0xb35+0x1169+-0x1bb8);var e=a();var f=e[b];if(c['vJBrzO']===undefined){var g=function(l){var m='[redacted]+...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

index.jsView on unpkg · L1

Findings

2 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings