MAL-2026-6523: Malicious code in express-plugin (npm)
The npm package 'express-plugin' version 1.6.6 contains malicious code that executes arbitrary JavaScript fetched from a third-party mutable paste hosting service upon module load. This code runs with full Node.js require privileges, allowing an attacker to execute any code on the host system. The package masquerades as a benign Express middleware and includes a decoy function to mislead users. The remote payload can be changed at any time by the attacker without republishing the package, enabling dynamic malicious actions such as credential theft or persistence.
AI Analysis
Technical Summary
The 'express-plugin' npm package (version 1.6.6) automatically invokes an initialization function on load that performs an HTTP GET request to a mutable third-party URL (https://jsonkeeper.com/b/PRA3O). It parses the JSON response and extracts a 'cookie' field, which is then passed to the JavaScript Function constructor with 'require' exposed, immediately executing arbitrary code fetched remotely. This design grants the attacker full control over the executing environment with Node.js privileges. The package is disguised as an Express middleware and exports a decoy normalizePath function to evade detection. Because the remote payload is attacker-controlled and mutable, the malicious behavior can change dynamically without any new package version release.
Potential Impact
Any process that requires 'express-plugin' version 1.6.6 will execute attacker-controlled code with full Node.js privileges, potentially leading to complete system compromise, credential theft, persistence mechanisms, or other malicious activities. The dynamic nature of the remote payload means the attacker can alter the malicious code at any time without republishing the package, increasing the risk and difficulty of detection.
Mitigation Recommendations
No official patch or remediation is currently documented for this package version. Users should immediately remove 'express-plugin' version 1.6.6 from their dependencies and avoid using this package. Since the malicious code executes on module load, uninstalling or replacing the package with a trusted alternative is critical. Monitor for any usage of this package in your environment and conduct a thorough investigation if found. Patch status is not yet confirmed — check the vendor advisory or trusted sources for updates.
MAL-2026-6523: Malicious code in express-plugin (npm)
Description
The npm package 'express-plugin' version 1.6.6 contains malicious code that executes arbitrary JavaScript fetched from a third-party mutable paste hosting service upon module load. This code runs with full Node.js require privileges, allowing an attacker to execute any code on the host system. The package masquerades as a benign Express middleware and includes a decoy function to mislead users. The remote payload can be changed at any time by the attacker without republishing the package, enabling dynamic malicious actions such as credential theft or persistence.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'express-plugin' npm package (version 1.6.6) automatically invokes an initialization function on load that performs an HTTP GET request to a mutable third-party URL (https://jsonkeeper.com/b/PRA3O). It parses the JSON response and extracts a 'cookie' field, which is then passed to the JavaScript Function constructor with 'require' exposed, immediately executing arbitrary code fetched remotely. This design grants the attacker full control over the executing environment with Node.js privileges. The package is disguised as an Express middleware and exports a decoy normalizePath function to evade detection. Because the remote payload is attacker-controlled and mutable, the malicious behavior can change dynamically without any new package version release.
Potential Impact
Any process that requires 'express-plugin' version 1.6.6 will execute attacker-controlled code with full Node.js privileges, potentially leading to complete system compromise, credential theft, persistence mechanisms, or other malicious activities. The dynamic nature of the remote payload means the attacker can alter the malicious code at any time without republishing the package, increasing the risk and difficulty of detection.
Mitigation Recommendations
No official patch or remediation is currently documented for this package version. Users should immediately remove 'express-plugin' version 1.6.6 from their dependencies and avoid using this package. Since the malicious code executes on module load, uninstalling or replacing the package with a trusted alternative is critical. Monitor for any usage of this package in your environment and conduct a thorough investigation if found. Patch status is not yet confirmed — check the vendor advisory or trusted sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6523
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7a927e9c79719ffb697
Added to database: 06/26/2026, 22:05:29 UTC
Last enriched: 06/26/2026, 22:25:36 UTC
Last updated: 06/27/2026, 00:38:26 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.