Which versions of routecraft are malicious?

The following npm versions of routecraft are flagged malicious: 4.2.0, 5.0.0. Treat any of these as compromised.

How do I remediate routecraft if I installed it?

Remove routecraft from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is routecraft part of a known attack campaign?

Yes — routecraft is associated with the IN-MAL-2026-007085, IN-MAL-2026-007086 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect routecraft in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking routecraft and packages like it before any post-install script runs.

Malicious package

routecraftnpm

Malicious code in routecraft (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6229

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall routecraft

What this malware does

[email protected] ships verbatim Express.js source (lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js — same layout, comments, and exports including createApplication, Router, and json/raw/text/urlencoded/static middleware) under a different package name and author with no Express attribution, presenting itself as an original 'lightweight HTTP routing framework'. package.json declares "preinstall": "node./lib/configure.js". lib/configure.js performs no compilation despite logging '...Skipping native addon compilation' — the package ships no native sources (no binding.gyp, no.cc/.cpp/.rs files). Instead, lines 10-12 contain if (os.platform() === 'win32' && v >= 18) { require('procwire'); }, conditionally loading the obscure procwire dependency (declared as ^1.3.0) only on Windows with Node >= 18. The false cover story, the platform gate, and the delegation of the executed code to an unpinned transitive dependency together form the standard pattern for shifting a malicious payload off the parent package so it appears clean while installers on Windows execute whatever procwire ships at install time.

Malicious versions

2 flagged

4.2.05.0.0

Indicators of compromise (SHA-256)

35254023a0071db579346eebe9f0e355a847a6d7f4320f600354c220f00ba646

a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0

Frequently asked questions

No. routecraft on npm has been identified as a malicious package (versions 4.2.0, 5.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007085IN-MAL-2026-007086

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection