Malicious code in express-session-js (npm)

Package impersonates legitimate express-session package; initPlugin downloads and executes attacker-controlled remote code on startup via new Function.constructor --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...