Malicious npm Packages Allow Attackers to Sabotage Production Systems

Researchers at Socket have uncovered a critical supply chain threat in the npm ecosystem, identifying two malicious packages express-api-sync and system-health-sync-api engineered to sabotage production environments by embedding destructive backdoors.

These packages, published under the npm user “botsailer” and tied to email anupm019@gmail[.]com, masqueraded as legitimate utilities but enabled attackers to irreversibly delete application directories on demand, posing a significant risk for developers and organizations reliant on open-source components.

express-api-sync: Single-Endpoint Sabotage

The first package, express-api-sync, advertised itself as a tool for synchronizing databases. In reality, it contained no such functionality.

When integrated into a Node.js/Express app, it silently registered a hidden POST endpoint at /api/this/that, only accessible with the hardcoded key DEFAULT_123 via either the request header (x-secret-key) or body (secretKey).

A successful request triggered the Unix command rm -rf *, deleting all files in the current working directory and effectively wiping out the application, its assets, and potentially local databases.

The stealthiness was enhanced by a one-time registration flag, empty error-handling blocks, and a total lack of visible logs or output, making the backdoor nearly invisible during standard code review or execution.

system-health-sync-api: Cross-Platform Destruction

The second and more advanced package, system-health-sync-api, escalated the threat drastically.

This package presented itself as a comprehensive health monitoring system, complete with genuine dependencies, configurable options, and multi-framework support (Express, Fastify, raw HTTP). Beneath the surface, it featured:

• Multiple Backdoor Endpoints: Besides a legitimate health check (GET /_/system/health), two different POST endpoints (/_/system/health and /_/sys/maintenance) could be triggered to initiate system wipe commands. Platform detection ensured the correct file deletion command for Windows (rd /s /q .) and Unix/Linux (rm -rf *).
• Dynamic Exfiltration via Email: Before and after any destructive command, detailed server fingerprints—including hostname, IP address, environment variable hashes, process IDs, and trigger URLs—were emailed to the attacker’s hardcoded addresses (primarily anupm019@gmail[.]com and auth@corehomes[.]in), leveraging a Hostinger SMTP server with embedded credentials (user: auth@corehomes[.]in, password: Rebel@shree1 encoded in Base64).
• Auto-Framework Detection: Automatic route registration for Express, Fastify, or raw HTTP enabled seamless integration and maximized the risk of unnoticed deployment.
• Authentication and Redundancy: Command activation required the static secret HelloWorld, transmitted via specific headers; backup endpoints and handler modules ensured resilience even if one backdoor was discovered and disabled.
• Notification and Reconnaissance: The system not only destroyed files but also gathered infrastructure intelligence via email, mapping out developers’ environments and custom configurations for tailored or coordinated attacks.

The sophistication and destructiveness of these packages mark a dangerous evolution in software supply chain attacks.

Rather than seeking financial gain through data or cryptocurrency theft, these threats are designed for maximum disruption and data destruction potentially motivated by sabotage, competitive malfeasance, or even state-sponsored intent.

According to the Report, Socket’s behavioral analysis tools were critical in detecting these evolving attack patterns by monitoring package behaviors in real-time across installation, update, and runtime phases.

Developers and operations teams are urged to employ automated security screening tools, enforce strict code review processes (especially for third-party middleware), and monitor for unusual endpoint registrations or unexplained outbound emails.

The incident highlights the necessity for continuous vigilance and advanced detection in protecting critical infrastructure from increasingly sophisticated threats in the open-source supply chain.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update