{ "schema": "cremit-ioc/v1", "generated_at": "2026-05-20T07:45:28.624Z", "package": { "ecosystem": "npm", "name": "expreess", "version": "1.0.0", "publisher": "n3w_pub_42", "sha256": null, "tarball_url": null, "weekly_downloads": null, "description": null, "repository_url": null, "first_published_at": null }, "classification": { "label": "malicious", "confidence": 0.95, "summary": "Static analyzer matched curl-pipe-bash: unambiguous remote-code-execution shape in the install path.", "provider": "fast-track", "heuristic_score": 100, "disposition": "auto-published" }, "references": { "npm_url": "https://www.npmjs.com/package/expreess/v/1.0.0", "pypi_url": null, "osv_id": null, "osv_url": null, "package_page": "https://incidents.cremit.io/packages/npm/expreess" }, "techniques": [ { "id": "T1059.004", "name": "Command and Scripting Interpreter: Unix Shell", "tactic": "Execution" }, { "id": "T1195.002", "name": "Supply Chain Compromise: Compromise Software Supply Chain", "tactic": "Initial Access" } ], "indicators": { "network": { "urls": [ "http://attacker.example/p" ], "ipv4": [], "webhook_bins": [], "discord_webhook_ids": [], "telegram_bots": [], "github_repos": [] }, "files": { "credential_paths": [] }, "deps": { "suspicious": [] }, "encoded": { "base64": [] }, "metadata": { "heuristic_flags": [ "install-scripts:postinstall", "new-publisher:18d", "typo-match:express:d1", "first-version-suspicious-publisher" ], "static_flags": [ "curl-pipe-bash" ], "self_described_as": [] } }, "stix_hints": { "indicator_pattern_examples": [], "note": "These are STIX 2.1 indicator pattern fragments, not a full bundle. Wrap each in {type:\"indicator\", pattern:..., pattern_type:\"stix\"} and add identity / created_by_ref objects to ingest into a TIP." } }