Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10182: Malicious code in express-guardian (npm)

0
Critical
Published: 07/10/2026 (07/10/2026, 22:42:45 UTC)
Source: GCVE Database
Product: express-guardian

Description

The npm package express-guardian masquerades as Express security middleware but contains malicious code that executes attacker-supplied JavaScript. When used as recommended, it spawns a detached child process that fetches code from a hardcoded HTTP endpoint and executes it with full module access, allowing remote code execution. A secondary payload URL is hidden and can be updated by the attacker without republishing the package. This behavior makes the package a remote code execution threat under the guise of security middleware.

Affected software

npmghsa
express-guardian
Affected versions
=1.4.1=1.4.3

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:45:26 UTC

Technical Analysis

The express-guardian npm package (versions 1.4.1 and 1.4.3) advertises itself as security middleware for Express.js but implements a no-op middleware that only calls next(). The actual malicious behavior occurs when the exported expressSecurity() function is invoked, spawning a detached Node.js child process that fetches JavaScript code from a hardcoded plain-HTTP URL (http://server-genimi-check.vercel.app/defy/v3). Upon receiving a 404 response, it extracts a token from the response body and dynamically constructs and executes a function with full access to Node.js modules, effectively executing attacker-controlled code remotely. Additionally, a secondary payload URL is base64-encoded in the package and points to a public paste service, allowing the attacker to update the malicious payload dynamically without republishing the package. This design enables persistent remote code execution on any system that installs and uses this package as recommended.

Potential Impact

This malicious package enables remote code execution within the Node.js process of any application that installs and uses express-guardian versions 1.4.1 or 1.4.3 as recommended. The attacker can execute arbitrary JavaScript code with full module access, potentially leading to full system compromise, data theft, or further malware deployment. The use of a mutable external payload URL allows the attacker to change the malicious code at will without republishing the package, increasing the threat's persistence and flexibility.

Mitigation Recommendations

No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using express-guardian versions 1.4.1 and 1.4.3 entirely. Remove these versions from your projects and replace them with trusted, verified security middleware alternatives. Monitor your environment for any signs of compromise if this package was previously installed and used. Since this is a malicious package, do not attempt to use or trust any code from it.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10182
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a520ea768715ace438f4423

Added to database: 07/11/2026, 09:36:39 UTC

Last enriched: 07/11/2026, 09:45:26 UTC

Last updated: 07/12/2026, 04:25:19 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses