Is this evidence of malicious code?

Question

I am working on a React app using create-react-app, and I recently saw some errors in the VS Code terminal that look kind of suspect to me. It looks like a library called "express" is trying to find a win.ini file and something to do with /etc/passwd.

Why would it need to look at those?

I looked up "express" on NPM and it looks like a lightweight web server. Is that what create-react-app uses as the dev server?

URIError: Failed to decode param '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/winnt/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/windows/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/winnt/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/etc/passwd'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)

Answer 1

win.ini just stores user settings for logging in and /etc/passwd contains a list of users on UNIX systems. Both files don't contain passwords or even password hashes.

If this is malicious, I suspect express is used to post back to the attackers server to give them info.

Answer 2

Express is a popular program used by most web server installers. Looking at this error, I think you left the directory unprotected and someone has try to reach the file of contains hashed users passwords. Please check and edit directory access paths for your security.

Some details; /%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini is URL-ENCODED,
%2E is mean ".",
%C0 is mean "À",
This mean some try reach directory named "/À.À./À.À./À.À./À.À./windows/win.ini".