Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems

Security researchers have identified two npm packages that do far more than they claim. Disguised as utilities for system monitoring and data syncing, these packages introduce destructive backdoors that can remotely wipe out all files in a developer’s application, on demand.

Socket’s Threat Research Team exposed the malicious packages, express-api-sync and system-health-sync-api, both published under the npm account “botsailer.” While the names suggest harmless functionality, the underlying code tells a much darker story.

According to the company’s technical report shared with Hackread.com, the express-api-sync package presents itself as a simple tool for syncing databases. But instead of syncing anything, it injects a hidden HTTP POST endpoint (/api/this/that) into any Express app that includes it.

Once triggered with the hardcoded key “DEFAULT_123,” it executes the Unix command rm -rf *, effectively erasing everything in the application’s current directory, source code, configs, user uploads, and even local databases.

This attack activates silently. No logs, no console output, and thanks to an empty error handler, no indication if the route registration fails. Most developers wouldn’t notice anything unusual until it’s too late.

While express-api-sync is destructive, system-health-sync-api takes things further. It’s structured like a real system monitor, complete with a functioning health check, SMTP integration, and dynamic support for Express, Fastify, and even raw HTTP servers.

Beneath the surface, it gathers server data, hostname, IP, process ID, and environment hash, and sends it via email to a hardcoded address: anupm019@gmailcom. It even logs backend URLs, helping attackers map server infrastructure.

This package supports cross-platform file deletion: rm -rf * for Unix-based systems and rd /s /q . for Windows, a command that doesn’t just delete files, it wipes the current directory entirely.

The backdoor can be triggered via two POST endpoints (/_/system/health and /_/sys/maintenance), each requiring the secret key “HelloWorld.” Developers might think the configuration is customizable, but default values ensure the attacker’s access works unless settings are explicitly overridden.

Email is used as a covert control channel. SMTP credentials are baked into the package, masked with Base64 encoding but easily decoded. When the system starts, the malware checks connectivity to the mail server. If successful, it confirms that the attacker’s command channel is active.

1. Reconnaissance: A GET request to /_/system/health returns system info.
2. Dry Run (optional): If configured, attackers can test without causing damage.
3. Destruction: A POST request with the right key triggers full file deletion.
4. Notification: Email alerts are sent with detailed server fingerprints and backend URLs.

The package even adjusts responses to help attackers understand when keys are incorrect, offering hints on proper usage.

Most supply chain attacks focus on stealing data or cryptocurrency. These two packages aim for destruction. It’s a shift in motivation, from profit to sabotage. Attackers now appear more interested in taking systems offline, collecting infrastructure intel, or disrupting competitors. And they’re building tools that can sit dormant, gather information, and activate when least expected.

The use of middleware makes this even more dangerous. Middleware runs on every request and often has full access to app internals. These packages exploit that trust, quietly embedding routes with the power to destroy an entire production environment.

Jim Routh, Chief Trust Officer at Saviynt, commented on the latest development, stating, “This is a case of a software supply chain compromise using malware designed to appear to be benign that then activates a back door once it is embedded. The key for enterprises is to improve the identity access management for everyone with access to the software build process including employees and contractors.”

Developers and DevOps teams should review their dependencies immediately. Use behavioural scanning tools that inspect what packages do, not just what they claim. Traditional scanners miss these threats because they don’t look at runtime behaviour.