AI Security Review
scanned 2h ago · by lpm-firewall-aiImporting the package triggers a request to a hard-coded remote endpoint. The returned response supplies JavaScript that is executed with Node's `require` capability.
Static reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Any runtime `require('express-request-engine')` or import of its main entrypoint.
Impact
A remote endpoint can execute arbitrary Node.js code in the consuming application's process.
Mechanism
import-time remote payload retrieval and dynamic code execution
Attack narrative
When the main entrypoint loads, it calls `initPlugin()` with a hard-coded JsonBin URL. It retrieves JSON, extracts `record.cerookie`, constructs a function from that remote string via `Function.constructor`, and invokes it with Node's `require`. The endpoint operator can therefore choose code executed in every process that imports the package.
Rationale
This is a concrete import-time remote-code-execution chain, not a normal request helper. The hard-coded network payload is executed without user action or integrity verification.
Evidence
index.jspackage.json
Network endpoints1
api.jsonbin.io/v3/b/6a4f5816f5f4af5e29762c92
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` runs `initPlugin()` immediately on module import.
- `index.js` fetches a hard-coded JsonBin URL by default.
- `index.js` reads `record.cerookie` from the network response.
- `index.js` executes that response using `Function.constructor` with `require` access.
- `package.json` has no lifecycle hook; the malicious path is import-time.
Evidence against
- No package files beyond `package.json` and `index.js` are present.
- No local file harvesting, persistence, or AI-agent configuration writes were found.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceindex.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 2f4b4b88ffe959e1
signatureType = suspicious_hashes
sourceLabel = final_verdict:malicious
matchedPackage = express-router-engine@3.6.8
matchedPath = index.js
matchedIdentity = npm:ZXhwcmVzcy1yb3V0ZXItZW5naW5l:3.6.8
similarity = 1.000
shingleOverlap = 1
summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgFindings
1 High1 Medium3 Low
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings