What destructive npm packages have security researchers discovered?

Security researchers at Socket have detected two destructive npm packages that masquerade as legitimate utilities designed to completely wipe production systems. These packages implement backdoors that represent an escalation in supply chain attacks, shifting from data theft to system destruction.

Who published these malicious npm packages?

The packages were published by npm user 'botsailer' using the email address anupm019@gmail.com. This represents a coordinated supply chain attack targeting Node.js applications.

What are the names of the two destructive npm packages?

The first package is called 'express-api-sync' which claims to be a simple express API to sync data between databases. The second package is 'system-health-sync-api' which presents itself as a monitoring solution with legitimate-looking features.

How does the express-api-sync package work?

The express-api-sync package doesn't contain any database functionality despite its claims. On the first incoming HTTP request, it registers a hidden POST endpoint at api/this/that. This endpoint accepts authentication via the x-secret-key header or secretKey body parameter with the hardcoded value 'DEFAULT_123', and when triggered, executes the Unix command 'rm -rf *' to delete all files.

What makes the system-health-sync-api package more dangerous?

The system-health-sync-api package is much more complex and sophisticated. It includes real dependencies, displays friendly installation messages, supports multiple web frameworks (Express, Fastify, raw HTTP), and implements working health check endpoints. It performs reconnaissance to gather system information and automatically detects the operating system to adjust its deletion commands accordingly.

What reconnaissance capabilities do these malicious npm packages have?

Before executing destructive operations, the system-health-sync-api package performs reconnaissance, harvesting detailed information about target systems including hostname, IP addresses, current working directory, process ID, timestamp, and a cryptographic hash of environment variables.

How do these packages communicate with attackers?

The packages use hardcoded email for reconnaissance reporting and destruction confirmation. They have hardcoded SMTP credentials to smtp.hostinger.com using the credentials auth@corehomes.in with the password 'Rebel@shree1' for maintaining persistent communication with the threat actor.

What destruction commands do these packages execute?

The packages automatically detect the operating system and adjust deletion commands accordingly. On Windows systems, they execute 'rd /s /q' which removes the current directory entirely. On Unix-like systems, they use 'rm -rf *' to delete all files in the application's working directory.

How can organizations protect against these destructive npm supply chain attacks?

Organizations should implement comprehensive supply chain security measures including package verification, behavioral monitoring, and rapid incident response capabilities. They should carefully review npm packages before installation, monitor for suspicious network activity, and establish security policies for third-party dependencies.

Attack

Destructive npm packages enable remote system destruction

published: June 7, 2025

Take action: Always vet external packages before installation. Make sure to use packages with a lot of contributors and and a lot of users. Avoid brand new packages and packages with a single contributor and NEVER just trust packages suggested by AI. If possible, implement automated package scanning tools and behavioral monitoring in your CI/CD pipeline.

Learn More

Security researchers at Socket have detected two destructive npm packages that masquerade as legitimate utilities designed to completely wipe production systems.

Published by npm user "botsailer" using the email address anupm019@gmail[.]com, these packages implement backdoors that represent an escalation in supply chain attacks, shifting from data theft to system destruction.

Typical npm supply chain attacks focus on cryptocurrency theft or credential harvesting. These packages register hidden HTTP endpoints that, when triggered with specific credentials, execute file deletion commands capable of wiping entire application directories.

The first package, express-api-sync, claims to be "a simple express api to sync data between two databases". It doesn't contain any database functionality whatsoever. The package exports a function that returns standard Express middleware, so it appears benight in a typical Node.js applications.
- On the first incoming HTTP request to any endpoint of the application after the package is installed, the malicious code registers a hidden POST endpoint at api/this/that.
- This endpoint accepts authentication via either the x-secret-key header or a secretKey body parameter, both expecting the hardcoded value "DEFAULT_123".
- Once the correct authentication is provided, the package executes the Unix command rm -rf * in the application's working directory.
- The endpoint provides status feedback to attackers, returning either {"message":"All files deleted"} or error details if the operation fails.
The second package system-health-sync-api is much more complex. It claims to be a monitoring solution with legitimate-looking features that will pass casual security reviews. The package includes real dependencies such as nodemailer and performance-now, displays a friendly post-installation message stating "✓ Successfully installed health monitor," and offers multiple configuration options suggesting enterprise-grade flexibility.
- The package supports multiple web frameworks including Express, Fastify, and raw HTTP servers, and implements a working health check endpoint that returns actual server status information.
- Before executing any destructive operations, the package performs reconnaissance, harvesting detailed information about target systems including hostname, IP addresses, current working directory, process ID, timestamp, and a cryptographic hash of environment variables.
- The package automatically detects the underlying operating system and adjusting its deletion commands accordingly. On Windows systems, it executes rd /s /q which removes the current directory entirely. On Unix-like systems it uses rm -rf * to delete all files. The package also includes a dry-run mode that allows attackers to test the system and gather intelligence without immediately triggering destruction.
- Uses hardcoded email for reconnaissance reporting, destruction confirmation, and maintaining persistent communication with the threat actor. It has hardcoded SMTP credentials to smtp[.]hostinger[.]com using the credentials auth@corehomes[.]in with the password "Rebel@shree1".
- The package verifies SMTP connectivity during startup, logging "SMTP Server Ready" to confirm the command-and-control channel is operational while appearing to be a legitimate health check.
- It implements multiple endpoints for activation and even has a help endpoint
  - GET /_/system/health, which returns server status information, and the main destruction mechanism via POST to the same endpoint using the authentication key "HelloWorld" sent through the x-system-key header.
  - POST /_/sys/maintenance provides redundancy using a different authentication header (x-maintenance-key) and alternative sender identification in email notifications.
  - POST /endpoint with valid X-System-Key header" return helpful error messages for attackers

Express middleware executes on every HTTP request with full application privileges. This positioning gives attackers complete access to application resources and the ability to monitor all incoming traffic.

Organizations should implement comprehensive supply chain security measures including package verification, behavioral monitoring, and rapid incident response capabilities to defend against this evolving threat landscape.

Destructive npm packages enable remote system destruction

Read More
NPM supply chain attack compromises 17 popular React …
Authentication bypass flaw in OttoKit/SureTriggers WordPress plugin actively …
Massive Data Exposure as Attackers Exploit MongoBleed Vulnerability
Critical vulnerability in CrushFTP actively exploited
CISA warns of active exploitation of three years …