npm · Malicious package advisory
Malwareexpress-self-destruct
MAL-2026-5553
Malicious code in express-self-destruct (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817)
On `npm install`, the package's `postinstall` hook (`node scripts/inject.js`) walks up from the install directory to locate the consumer's project root and identifies their Express entry file (the project's `package.json` `main`, or fallbacks like `index.js` / `app.js` / `server.js`). It then appends a hidden code block to that source file that registers an undocumented `GET /robots.txt` handler on the consumer's Express app. When the handler is reached with the query string `?verify=destroy`, it executes `pkill -f node...` / `taskkill /IM node.exe /F` / `npx pm2 delete all` to terminate Node processes and runs `fs.rm(<projectDir>/src, { recursive: true, force: true })` to recursively delete the project's source tree. The same destructive primitive is also exposed via the package's public API: `index.js` exports `armSelfDestruct(app, options)`, which registers the same remote process-kill + filesystem-wipe endpoint at runtime. Two install-time-destructive properties are present concurrently: (a) install-time mutation of the consumer's own source files to plant a permanent backdoor that survives uninstalling the package, and (b) a remote, unauthenticated kill switch reachable over HTTP once the modified server is running. The package additionally pulls in two same-author scoped runtime dependencies (`@my_name_is_khn/express-security-tool`, `@my_name_is_khn/express-security-tool-v1`) which are auto-installed transitively.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.