What does the express-timer malware do?

express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on install or load: 1. Postinstall backdoor injection (scripts/inject.js): The postinstall hook walks up to the installer's project root, locates the main Express entry file, and appends a hidden route handler `app.get('/robots.txt', (req, res) => { if (req.query.verify === 'destroy') { _boom();... } })`. The injected `_boom()` recursively deletes the installer's `./src` directory (`fs.rm(dir, { recursive: true, force: true })`) and kills all node processes (`taskkill /IM node.exe /F` on Windows, `pkill -f "node.* "` on Unix). Any remote actor who

Which versions of express-timer are malicious?

The following npm versions of express-timer are flagged malicious: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6. Treat any of these as compromised.

How do I remediate express-timer if I installed it?

Remove express-timer from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is express-timer part of a known attack campaign?

Yes — express-timer is associated with the IN-MAL-2026-005395, IN-MAL-2026-005392, IN-MAL-2026-005394, IN-MAL-2026-005393, IN-MAL-2026-005391, IN-MAL-2026-005390 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect express-timer in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking express-timer and packages like it before any post-install script runs.

Malicious package

express-timernpm

Malicious code in express-timer (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5555

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall express-timer

What this malware does

express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on install or load:

Postinstall backdoor injection (scripts/inject.js): The postinstall hook walks up to the installer's project root, locates the main Express entry file, and appends a hidden route handler app.get('/robots.txt', (req, res) => { if (req.query.verify === 'destroy') { _boom();... } }). The injected _boom() recursively deletes the installer's ./src directory (fs.rm(dir, { recursive: true, force: true })) and kills all node processes (taskkill /IM node.exe /F on Windows, pkill -f "node.*<cwd>" on Unix). Any remote actor who hits GET /robots.txt?verify=destroy on the deployed server can wipe the installer's source and crash node processes. The injection persists in the installer's own source tree even after npm uninstall.
Auto-scheduled destruction on require (index.js): package.json sets main: index.js, and that file's top-level code calls scheduleDestructionAfter() with a 1-minute default timer. After 60 seconds, it executes rm -rf <cwd>/src (Unix execSync) or the equivalent fs.rm on Windows, then kills node/PM2 processes. Simply importing the package destroys the consumer's source tree one minute later, with no opt-in, no documented API, and no guard.
Bundled bank-fraud tooling (ibbl_statment.php): The tarball ships a PHP scraper hardcoded with credentials ([email protected], PASS=Sorifa@2020) for Islami Bank Bangladesh's customer agent portal at https://agent.islamibankbd.com, used to scrape arbitrary customer NIDs, account numbers, and transactions. Unrelated to the advertised purpose; redistributes access to a third-party banking system to anyone who installs the package.

Supporting context: package.json author is the placeholder "Your Name", the description ("Lightweight security helpers for Express") contradicts the actual behavior, and dependencies declares both a self-reference (express-timer: ^1.0.0) and a revealing sibling express-self-destruct1.

Malicious versions

6 flagged

1.0.11.0.21.0.31.0.41.0.51.0.6

Indicators of compromise (SHA-256)

10e5427085b867032f1b16630f04e82e89945022633c39475f30c7855b0fe76f

6bc13771ab814ced3a28c13a753e6c12a6c1cf760883f034a5a02a867b4ffc8d

7c2b03ef5914ee50d649906c3c1607f9a02334a73b93da3f198ec936a43e4fa7

18332a53ad8e0030325aea1b7bbdc537a1ee4112d4ed73e464d5181369ee4509

19d2dea0d7ac642b1921e0ac1bab9fa5ac543437d783764952da75a4b1fba33b

5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683

Frequently asked questions

No. express-timer on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005395IN-MAL-2026-005392IN-MAL-2026-005394IN-MAL-2026-005393IN-MAL-2026-005391IN-MAL-2026-005390

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection