registry  /  express-request-engine  /  3.6.3

express-request-engine@3.6.3

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing the package triggers a request to a hard-coded remote endpoint. The returned response supplies JavaScript that is executed with Node's `require` capability.

Static reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Any runtime `require('express-request-engine')` or import of its main entrypoint.
Impact
A remote endpoint can execute arbitrary Node.js code in the consuming application's process.
Mechanism
import-time remote payload retrieval and dynamic code execution
Attack narrative
When the main entrypoint loads, it calls `initPlugin()` with a hard-coded JsonBin URL. It retrieves JSON, extracts `record.cerookie`, constructs a function from that remote string via `Function.constructor`, and invokes it with Node's `require`. The endpoint operator can therefore choose code executed in every process that imports the package.
Rationale
This is a concrete import-time remote-code-execution chain, not a normal request helper. The hard-coded network payload is executed without user action or integrity verification.
Evidence
index.jspackage.json
Network endpoints1
api.jsonbin.io/v3/b/6a4f5816f5f4af5e29762c92

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs `initPlugin()` immediately on module import.
  • `index.js` fetches a hard-coded JsonBin URL by default.
  • `index.js` reads `record.cerookie` from the network response.
  • `index.js` executes that response using `Function.constructor` with `require` access.
  • `package.json` has no lifecycle hook; the malicious path is import-time.
Evidence against
  • No package files beyond `package.json` and `index.js` are present.
  • No local file harvesting, persistence, or AI-agent configuration writes were found.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.17 KB of source, external domains: api.jsonbin.io

Source & flagged code

1 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 2f4b4b88ffe959e1 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = express-router-engine@3.6.8 matchedPath = index.js matchedIdentity = npm:ZXhwcmVzcy1yb3V0ZXItZW5naW5l:3.6.8 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

1 High1 Medium3 Low
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings