New npm threats can erase production systems with a single request

Two malicious npm packages have been found posing as legitimate utilities to silently install backdoors for complete production wipeout.

According to Socket research, the packages “express-api-sync” and “system-health-sync-api,” are designed for sabotage rather than financial gain or supply chain compromise, indicating a novel adversarial product for competition and state-level disruption.

“Published by npm user botsailer using email anupm019@gmail[.]com, both express-api-sync and system-health-sync-api secretly register hidden endpoints that, when triggered with the right credentials, execute file deletion commands that wipe out entire application directories,” said Socket researcher Kush Pandya.

DevSec teams and CISOs must set detection for the shared indicators of compromise (IOCs) and refer to the MITRE ATT&CK techniques to stay ahead of the abuse.

Packages posing as data sync and monitoring utilities

Of the two malicious packages seen, express-api-sync seems to pack a rather blunt punch, a data sync utility for databases on the Express applications. Express applications are web applications built using Express.js, a fast, minimalist web framework for Node.js.

Instead of the promised functionality, the package implements a single-purpose backdoor that waits for the kill command. “The package exports a function that returns standard Express middleware, making it blend into typical Node.js applications,” Pandya said in a blog post. “However, on the first HTTP request to ANY endpoint in your application, the malicious code springs into action.”

Essentially, the code listens for a request containing a hardcoded key “DEFAULT_123” and, when triggered, executes a destructive rm-rf* command, deleting everything in the application’s root directory.

The second package, system-health-sync-api, is a little more stealthy and sophisticated, Pandya added. Masquerading as a system monitoring tool, it collects environment and system data, and exposes multiple undocumented HTTP endpoints such as /rm-rf-me and /destroy-host that, when hit, execute system-wiping commands.

The malicious monitoring package also exfiltrates execution details (like hostname, IP, CWD, environment hash) via email using hardcoded SMTP credentials, enabling attackers to track successful deployments.

Smart and fail-safe command and control

The ‘monitoring’ malicious package is designed to auto-detect the host OS–Unix or Windows–and the server framework (Express, Fastify, or native HTTP). It registers OS-specific destructive routes that execute file-system wipes regardless of the environment.

Additionally, to increase reliability, the malware exposes three backdoor endpoints: a default reconnaissance module, a primary destructive route, plus a secondary fallback. If one destruction endpoint is blocked or overlooked, the attacker can still trigger system destruction via an alternate route.

“Both destruction endpoints support dry-run mode for reconnaissance and include the same cross-platform deletion logic, but return different response formats to avoid detection patterns,” Pandya noted.

Socket analysis revealed middleware as the perfect target for this abuse, and to expect more attacks targeting framework-specific systems (Express, Fastify, Koa), packages that modify other packages at runtime, and security tools that may create vulnerabilities. npm abuses pile up as Socket keeps uncovering more malicious activity targeting the popular JavaScript package registry.

Most recently, it reported 60 npm packages stealing sensitive host and network information within just under two weeks they were live. This follows earlier findings of attackers abusing npm with typo-squatted packages laced with info-stealers and remote code execution payloads aimed at multi-language developers.