registry  /  express-router-engine  /  3.6.5

express-router-engine@3.6.5

express-route-engine is a lightweight routing framework built on top of Express.js that simplifies route management for enterprise Node.js applications. It provides automatic route loading, middleware composition, request validation, API versioning, and m

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10063 confirms this npm version as malicious. The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with...

Advisory
MAL-2026-10063
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-router-engine (npm)
Details
The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via child_process.exec with `windowsHide:true`. All module names (fs, os, path, child_process, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (`express-router-engine`) also mismatches its own description text (`express-route-engine is a lightweight routing framework...`), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms express-router-engine@3.6.5 as malicious (MAL-2026-10063): Malicious code in express-router-engine (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory