registry  /  express-router-engine  /  3.6.8

express-router-engine@3.6.8

express-route-engine is a lightweight routing framework built on top of Express.js that simplifies route management for enterprise Node.js applications. It provides automatic route loading, middleware composition, request validation, API versioning, and m

OSV Malicious Advisory

scanned 33m ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10063 confirms this npm version as malicious. The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with...

Advisory
MAL-2026-10063
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-router-engine (npm)
Details
The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via child_process.exec with `windowsHide:true`. All module names (fs, os, path, child_process, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (`express-router-engine`) also mismatches its own description text (`express-route-engine is a lightweight routing framework...`), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.17 KB of source, external domains: api.jsonbin.io

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Medium3 Low
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings