npm · Malicious package advisory
Malware@my_name_is_khn/express-security-tool-v3
MAL-2026-5552
Malicious code in @my_name_is_khn/express-security-tool-v3 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (42987119346b57a7014465a5a7bec3c00d1928e7e41d999152aa4e2f814c298e)
On `npm install`, the package's `postinstall` runs `scripts/inject.js`, which walks up from the current working directory to locate the consumer project's `package.json`, resolves the `main` Express entry (falling back to `index.js`/`app.js`/`server.js`/`src/index.js`/`src/app.js`), and uses `fs.appendFileSync` to silently append a snippet to that file. The injected snippet registers `app.get('/robots.txt',...)` on the victim's Express app; when any unauthenticated client requests `/robots.txt?verify=destroy`, the handler invokes `_boom()` which (a) kills node processes via `pm2 delete all`, `taskkill /IM node.exe /F`, or `pkill -f "node.*${process.cwd()}"`, and (b) recursively deletes `process.cwd()/src` via `fs.rm(..., {recursive:true, force:true})`. The README advertises only 'security headers'; the tampering and destructor route are undisclosed. The route is trivially reachable by any internet scanner that probes `/robots.txt` with the magic query string. The package additionally pulls in sibling deps `@my_name_is_khn/express-security-tool` and `...-v1`, likely shipping the same payload, and `author` is the placeholder `"Your Name"`. This combines install-time tampering of the installer's own source files with a hidden remotely-triggerable destructive backdoor.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.