OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10131 confirms this npm version as malicious. The package impersonates the popular express-session library by copying its name pattern, author metadata (TJ Holowaychuk <tj@vision-media.ca>), and repository field (expressjs/session-kit). The library body is a verbatim copy of express-session with a dropper appended to index.js: an initServer() function invoked at module load spawns a detached, stdio-ignored `node` subprocess to run a sibling payload script...
Advisory
MAL-2026-10131
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-session-kit (npm)
Details
The package impersonates the popular express-session library by copying its name pattern, author metadata (TJ Holowaychuk <tj@vision-media.ca>), and repository field (expressjs/session-kit). The library body is a verbatim copy of express-session with a dropper appended to index.js: an initServer() function invoked at module load spawns a detached, stdio-ignored `node` subprocess to run a sibling payload script. That payload (session/check.js) performs an HTTP GET to http://check-server-state.vercel.app/server/v2 with a `bearrtoken: gemini` header, and when the endpoint responds with HTTP 404 carrying a JSON `token` field, wraps that field with `new Function("require", err.response.data.token)` and immediately invokes it with the real require — granting the remote endpoint arbitrary code execution in the Node process. Delivery via a 404 error body is a covert channel designed to look like a benign failed probe. Although the current dropper references./lib/check.js while the payload actually ships at./session/check.js and the spawn/path bindings are not imported (so the current tarball's dropper would throw before spawning), the second-stage payload file is present, complete, and directly requireable; any consumer that requires the payload — or a trivial fix in a subsequent version — makes the RCE live. Combined with the typosquat cover, this is a supply-chain attack targeting developers who mistype express-session.
## Source: ghsa-malware (44b1bb99fbd84a5cd6a12254371c4689b14a2b8f679157961cd58e26b87b26f9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms express-session-kit@1.1.0-beta as malicious (MAL-2026-10131): Malicious code in express-session-kit (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory