Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

Malware in multer-express

Malware was discovered in the npm package multer-express. Systems with this package installed or running are considered fully compromised and require immediate remediation.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with multer-express installed or running is considered fully compromised.
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • multer-express

A malware incident was identified in the npm package multer-express, as documented in GitHub Advisory GHSA-vvr6-9g6q-v5w3. The advisory indicates that any computer with this package installed or running should be considered fully compromised.\n\nThe advisory recommends immediate rotation of all secrets and keys from a different, uncompromised computer. While the package should be removed, the advisory notes that full control of the affected computer may have been granted to an outside entity, meaning removal of the package alone may not eliminate all malicious software introduced by the installation.\n\nThis represents a critical supply chain compromise affecting npm users who have installed or are running multer-express.

Indicators of compromise

Packages
  • multer-express

Remediation

  • Immediately rotate all secrets, keys, and credentials from a different, uncompromised computer
  • Remove the multer-express package from all affected systems
  • Conduct a full security audit and forensic analysis of any system that had multer-express installed
  • Monitor affected systems for signs of unauthorized access or persistence mechanisms
  • Review and revoke any credentials or API keys that may have been exposed
  • Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if critical infrastructure

Sources

  1. GitHub Advisory GHSA-vvr6-9g6q-v5w3 · GitHub Advisory Database

Cite this entry

"Malware in multer-express." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 24, 2026; last updated June 24, 2026. https://supplychainattack.org/incident/malware-in-multer-express-cjkhi5

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. containedcritical

    Malware in opt-archetype-check

    Malware was discovered in the npm package opt-archetype-check, resulting in full system compromise for any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.

    npmCompromised package
  2. activecritical

    Malware in aes-decode-runner-pro

    Malware discovered in the npm package aes-decode-runner-pro. Systems with this package installed are considered fully compromised and may have given outside entities complete control.

    npmCompromised package
  3. containedcritical

    Malware in fetch-page-assets

    Malware was discovered in the npm package fetch-page-assets. Systems with this package installed or running should be considered fully compromised and require immediate remediation.

    npmCompromised package
  4. activecritical

    Malware in pretie_x2

    The npm package pretie_x2 contains malware that grants full control of affected systems. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package