MAL-2026-10182: Malicious code in express-guardian (npm)
The npm package express-guardian masquerades as Express security middleware but contains malicious code that executes attacker-supplied JavaScript. When used as recommended, it spawns a detached child process that fetches code from a hardcoded HTTP endpoint and executes it with full module access, allowing remote code execution. A secondary payload URL is hidden and can be updated by the attacker without republishing the package. This behavior makes the package a remote code execution threat under the guise of security middleware.
AI Analysis
Technical Summary
The express-guardian npm package (versions 1.4.1 and 1.4.3) advertises itself as security middleware for Express.js but implements a no-op middleware that only calls next(). The actual malicious behavior occurs when the exported expressSecurity() function is invoked, spawning a detached Node.js child process that fetches JavaScript code from a hardcoded plain-HTTP URL (http://server-genimi-check.vercel.app/defy/v3). Upon receiving a 404 response, it extracts a token from the response body and dynamically constructs and executes a function with full access to Node.js modules, effectively executing attacker-controlled code remotely. Additionally, a secondary payload URL is base64-encoded in the package and points to a public paste service, allowing the attacker to update the malicious payload dynamically without republishing the package. This design enables persistent remote code execution on any system that installs and uses this package as recommended.
Potential Impact
This malicious package enables remote code execution within the Node.js process of any application that installs and uses express-guardian versions 1.4.1 or 1.4.3 as recommended. The attacker can execute arbitrary JavaScript code with full module access, potentially leading to full system compromise, data theft, or further malware deployment. The use of a mutable external payload URL allows the attacker to change the malicious code at will without republishing the package, increasing the threat's persistence and flexibility.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using express-guardian versions 1.4.1 and 1.4.3 entirely. Remove these versions from your projects and replace them with trusted, verified security middleware alternatives. Monitor your environment for any signs of compromise if this package was previously installed and used. Since this is a malicious package, do not attempt to use or trust any code from it.
MAL-2026-10182: Malicious code in express-guardian (npm)
Description
The npm package express-guardian masquerades as Express security middleware but contains malicious code that executes attacker-supplied JavaScript. When used as recommended, it spawns a detached child process that fetches code from a hardcoded HTTP endpoint and executes it with full module access, allowing remote code execution. A secondary payload URL is hidden and can be updated by the attacker without republishing the package. This behavior makes the package a remote code execution threat under the guise of security middleware.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The express-guardian npm package (versions 1.4.1 and 1.4.3) advertises itself as security middleware for Express.js but implements a no-op middleware that only calls next(). The actual malicious behavior occurs when the exported expressSecurity() function is invoked, spawning a detached Node.js child process that fetches JavaScript code from a hardcoded plain-HTTP URL (http://server-genimi-check.vercel.app/defy/v3). Upon receiving a 404 response, it extracts a token from the response body and dynamically constructs and executes a function with full access to Node.js modules, effectively executing attacker-controlled code remotely. Additionally, a secondary payload URL is base64-encoded in the package and points to a public paste service, allowing the attacker to update the malicious payload dynamically without republishing the package. This design enables persistent remote code execution on any system that installs and uses this package as recommended.
Potential Impact
This malicious package enables remote code execution within the Node.js process of any application that installs and uses express-guardian versions 1.4.1 or 1.4.3 as recommended. The attacker can execute arbitrary JavaScript code with full module access, potentially leading to full system compromise, data theft, or further malware deployment. The use of a mutable external payload URL allows the attacker to change the malicious code at will without republishing the package, increasing the threat's persistence and flexibility.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using express-guardian versions 1.4.1 and 1.4.3 entirely. Remove these versions from your projects and replace them with trusted, verified security middleware alternatives. Monitor your environment for any signs of compromise if this package was previously installed and used. Since this is a malicious package, do not attempt to use or trust any code from it.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10182
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a520ea768715ace438f4423
Added to database: 07/11/2026, 09:36:39 UTC
Last enriched: 07/11/2026, 09:45:26 UTC
Last updated: 07/12/2026, 04:25:19 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.