Malicious code in two NPM packages for Express applications would wipe out entire app directories when triggered with the right credentials, cybersecurity firm Socket reports.
Posing as legitimate utilities for the Express backend web application framework, the two packages, named express-api-sync and system-health-sync-api, would covertly register a hidden endpoint to perform the destructive operation. Both were published by an NPM user named botsailer.
Express-api-sync masquerades as an Express API that provides data syncing between two databases. It contains no legitimate functionality, but implements a dormant backdoor that waits for the kill command.
“When a developer adds this middleware to their Express application, it appears to do nothing. The package exports a function that returns standard Express middleware, making it blend into typical Node.js applications,” Socket explains.
However, the backdoor is activated when HTTP traffic to any application endpoint is received. It can be triggered through POST requests that use the hardcoded key ‘DEFAULT_123’, sent through a header or body parameter.
“This flexibility ensures the backdoor is triggered, regardless of how the attacker prefers to send requests, though the generic key suggests the threat actor didn’t bother creating unique keys for different victims,” Socket explains.
The backdoor is executed in the Express application’s working directory, erasing all files, including source code, databases, configuration files, and uploads.
System-health-sync-api, on the other hand, packs legitimate-looking capabilities related to a flexible monitoring system covering dependencies, frameworks, and health checks. It uses email for covert communication with the threat actor.
According to Socket, the package harvests extensive system information, including environment variables that allow attackers to fingerprint servers with specific configurations.
The package appears to work on Windows servers running IIS with Node.js, Linux servers, and macOS. It can identify the operating system, adjusting the deletion command to it.
“The Windows command […] is particularly devastating as it removes the current directory itself, not just its contents,” Socket notes.
The cybersecurity firm discovered that the package uses SMTP for data exfiltration, that it connects to a legitimate email service using hardcoded credentials, and that for each significant event it sends out emails containing the full backend URL, “potentially exposing internal infrastructure details, development environments, or staging servers”.
To ensure success, the package creates three endpoints, two of which are backdoors, deployed for redundancy reasons. Both, however, “support dry-run mode for reconnaissance and include the same cross-platform deletion logic”.
“These packages represent a concerning addition to NPM’s threat landscape, while most attacks focus on stealing cryptocurrency or credentials, these prioritize complete system destruction. The progression from express-api-sync’s basic backdoor to system-health-sync-api’s multi-layered approach shows this particular threat actor refining their techniques,” Socket notes.
Related: Ongoing Campaign Uses 60 NPM Packages to Steal Data
Related: Malicious NPM Packages Target Cursor AI’s macOS Users
Related: Malicious NPM Packages Target Cryptocurrency, PayPal Users
