Malicious npm Utility Packages Enable Attackers to Wipe Production Systems

Socket’s Threat Research Team has uncovered two malicious npm packages, express-api-sync and system-health-sync-api, designed to masquerade as legitimate utilities while embedding destructive backdoors capable of annihilating production systems.

Published under the npm alias “botsailer” with the associated email anupm019@gmail[.]com, these packages represent a shift from traditional data theft to outright sabotage.

New Wave of Sabotage in the npm Ecosystem

Unlike typical malware aiming for cryptocurrency or credential theft, these tools prioritize data destruction, suggesting motivations rooted in competitive sabotage or state-level disruption.

Their sophisticated design and stealthy execution highlight a growing threat within the software supply chain, targeting developers who unknowingly integrate these packages into their Node.js applications.

The express-api-sync package, marketed as a database synchronization tool, offers no such functionality.

Instead, it covertly installs a backdoor that activates on the first HTTP request to any endpoint in an Express application.

A hidden POST endpoint at /api/this/that, secured by the hardcoded key “DEFAULT_123,” triggers the Unix command *rm -rf **, deleting all files in the application’s working directory source code, configurations, and local databases alike.

Its stealth is enhanced by an empty catch block that suppresses error logs, ensuring failures in backdoor registration remain undetected.

Meanwhile, system-health-sync-api escalates the threat with a multi-faceted attack vector.

From Deceptive Functionality to Catastrophic Deletion

Posing as a health monitoring utility with convincing features like framework detection (Express, Fastify, raw HTTP) and a functional health check endpoint, it gathers extensive server intelligence hostname, IP, environment variable hashes, and backend URLs before unleashing destruction.

This package adapts its deletion commands based on the operating system, using rd /s /q . on Windows for recursive directory removal and *rm -rf ** on Unix/Linux systems, ensuring cross-platform devastation.

Beyond its destructive capabilities, system-health-sync-api employs email-based command and control, utilizing hardcoded SMTP credentials (via smtp[.]hostinger[.]com) to exfiltrate reconnaissance data to the attacker’s email, anupm019@gmail[.]com.

Poorly obfuscated credentials, like the Base64-encoded password “Rebel@shree1,” reveal the attacker’s reliance on simple encoding over secure encryption.

The package creates multiple endpoints for redundancy, including a primary backdoor at POST //system/health and a secondary at POST //sys/maintenance, each with distinct authentication headers (“x-system-key” and “x-maintenance-key”) and the hardcoded key “HelloWorld.”

Such design choices not only maximize activation chances but also provide attackers with detailed error messages and hints for successful exploitation, showcasing an alarming level of intent to ensure destruction.

According to the Report, Socket’s analysis underscores the evolution of npm threats, urging developers to adopt behavioral scanning tools to detect such middleware-based attacks that exploit full application privileges.

As these packages signal a trend toward sabotage over theft, the npm ecosystem faces a critical need for heightened vigilance and proactive defense mechanisms to safeguard production environments.

Indicators of Compromise (IOCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here