Fake npm utilities remotely delete entire app directories

Malicious npm packages posing as legitimate application utilities create destructive backdoor endpoints that enable remote deletion of app directories, Socket reported Thursday.

The packages — express-api-sync and system-health-sync-api — were published by npm user botsailer on June 3, 2025, and have since been removed by npm due to malicious code.

Express-api-sync purported to serve as a simple API for Express applications to sync data between two databases, but in reality had no legitimate function.

Instead, the middleware integrated by the package would register a malicious HTTP POST endpoint called “/api/this/that” that would silently wait for a “kill command” from the attacker, according to Socket.

Once this backdoor endpoint received a POST request containing the hardcoded key “DEFAULT_123” via a header or body parameter, the malware used the child_process.exec function to execute the Unix deletion command rm -rf *, which deleted all files in the application’s working directory.

While express-api-sync only affected Express applications running on Unix-like systems, system-health-sync-api was more complex and versatile, offering seemingly legitimate functions alongside its hidden destructive features.

The package had legitimate dependencies, including nodemailer and performance-now, and included a functional, benign health check endpoint that would return basic server status information. The package also offered multiple configurations to users, adding to the air of legitimacy.

However, system-health-sync-api also created destructive backdoors — one primary endpoint (POST /_/system/health) and a backup (POST /_/sys/maintenance) in case the first endpoint is blocked. Like with express-api-sync, these endpoints would trigger deletion commands after receiving a request from the attacker containing a specific key.

The attackers used their email address, anupm019@gmail[.]com, as a communication channel to receive notifications from the malware, including any configuration updates made by the targeted developer. While the hardcoded default key for the “kill command” request was “HelloWorld,” the attacker could adjust in case the key was changed by the victim.

The package automatically detected the operating system (Windows or Unix-like) and framework (Express, Fastify or a native HTTP module) to tailor its actions to the target application. It used the rm -rf * deletion command for Unix and rd /s /q . on Windows to wipe the application’s files.

The malware also gathered information about the target system before wiping files, including host name, IP address and environmental variables hash, the latter of which could be used to create a “fingerprint” to “help attackers identify servers with specific configurations or detect when environment variables change,” the Socket researchers stated.

While these short-lived packages only received about 300 downloads combined during the time they were available, their discovery highlights threats developers should be aware of when relying on npm utilities.

Unlike common npm attacks focused on cryptocurrency and credential theft, these packages threaten to sabotage and disrupt developers through their destructive capabilities.

The Socket team concluded that they expect to see more attacks in the future targeting specific application frameworks, such as Express and Fastify, as well as more advanced attacks involving potential reconnaissance of entire company infrastructures. Additionally, the “kill switches” planted by these packages could lie dormant for months or years before executing their destructive commands, allowing for coordinated attacks.