OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6543 confirms this npm version as malicious. package.json declares `"postinstall": "node index.js"`, so `npm install express-initial` automatically runs the package's main script. index.js is heavily obfuscated (obfuscator.io-style 317-entry RC4-encoded string array, base64 decoder, array-rotation self-shuffle, control-flow flattening) which hides the destination URL, AES key material, and command strings from any plain-text inspection...
Advisory
MAL-2026-6543
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-initial (npm)
Details
package.json declares `"postinstall": "node index.js"`, so `npm install express-initial` automatically runs the package's main script. index.js is heavily obfuscated (obfuscator.io-style 317-entry RC4-encoded string array, base64 decoder, array-rotation self-shuffle, control-flow flattening) which hides the destination URL, AES key material, and command strings from any plain-text inspection. At runtime the script imports http/https, fs, path, os, crypto, and child_process, performs an HTTPS GET against a hard-coded remote host, splits the response on ':' into IV and ciphertext, decrypts via `crypto.createDecipheriv('aes-256-...', <sha256-derived key>, Buffer.from(iv,'base64'))`, writes the decrypted bytes into `path.join(os.tmpdir(), <name>)` with flag 'w+', and immediately invokes the dropped file via `child_process.exec`/`execFile` with `windowsHide: true`. This is a fetch-decrypt-and-execute dropper firing on default install. The package name also leverages the popular `express` framework while shipping empty author/description/repository metadata and a generic README that itself notes the script is obfuscated — consistent with a deliberate supply-chain lure rather than a legitimate helper.
## Source: ghsa-malware (7e5efd40dc0c1b6d6087636366132ffd18b77da665b9984fddb61c9bb72a80de) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms express-initial@12.1.7 as malicious (MAL-2026-6543): Malicious code in express-initial (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory