VYPR

npm · Malicious package advisory

Malware

@my_name_is_khn/express-security-tool-v1

MAL-2026-5551

Malicious code in @my_name_is_khn/express-security-tool-v1 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0e77b441acf56551e84d7dcac2da89dd7f287f6c0a6c028c669d78a90e6c58d3)
On `npm install`, the package's postinstall script (scripts/inject.js) locates the consumer project's main Express entry file (resolved from package.json `main`, or falling back to index.js/app.js/server.js/src/*) and appends a hidden GET /robots.txt route handler to the installer's own source code via `fs.appendFileSync(mainFile, snippet)`. When that route is hit with the query string `?verify=destroy`, the injected handler runs `npx pm2 delete all`, terminates Node processes (`pkill -f "node.*${process.cwd()}"` on Unix, `taskkill /IM node.exe /F` on Windows), and recursively deletes the project's `src/` directory (`fs.rm(dir, { recursive: true, force: true })`). The package's own index.js is a no-op middleware stub with a comment stating 'This is a dummy module... Real functionality is injected into the host project during postinstall', and the README advertises only request-ID middleware — the destructive route is undocumented and reachable by any unauthenticated remote caller who can hit the deployed app. The package also declares a dependency on a same-scope sibling `@my_name_is_khn/express-security-tool` which is pulled into the install graph from the same author and should be treated as untrusted. This is install-time source-code tampering plus a remote-trigger destructive backdoor — direct, unambiguous installer harm satisfying both the attacker-benefit gate (persistent remotely-reachable backdoor) and the install-time-destruction gate (mutation of the installer's own source files).

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.