{"id":"MAL-2026-5553","summary":"Malicious code in express-self-destruct (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817)\nOn `npm install`, the package's `postinstall` hook (`node scripts/inject.js`) walks up from the install directory to locate the consumer's project root and identifies their Express entry file (the project's `package.json` `main`, or fallbacks like `index.js` / `app.js` / `server.js`). It then appends a hidden code block to that source file that registers an undocumented `GET /robots.txt` handler on the consumer's Express app. When the handler is reached with the query string `?verify=destroy`, it executes `pkill -f node...` / `taskkill /IM node.exe /F` / `npx pm2 delete all` to terminate Node processes and runs `fs.rm(\u003cprojectDir\u003e/src, { recursive: true, force: true })` to recursively delete the project's source tree. The same destructive primitive is also exposed via the package's public API: `index.js` exports `armSelfDestruct(app, options)`, which registers the same remote process-kill + filesystem-wipe endpoint at runtime. Two install-time-destructive properties are present concurrently: (a) install-time mutation of the consumer's own source files to plant a permanent backdoor that survives uninstalling the package, and (b) a remote, unauthenticated kill switch reachable over HTTP once the modified server is running. The package additionally pulls in two same-author scoped runtime dependencies (`@my_name_is_khn/express-security-tool`, `@my_name_is_khn/express-security-tool-v1`) which are auto-installed transitively.\n","modified":"2026-06-11T04:01:32.108343850Z","published":"2026-06-11T02:50:48Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T02:50:48Z","versions":["1.0.0"],"import_time":"2026-06-11T03:48:45.022490833Z","source":"amazon-inspector","sha256":"d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817","id":"IN-MAL-2026-005388"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-self-destruct/v/1.0.0"}],"affected":[{"package":{"name":"express-self-destruct","ecosystem":"npm","purl":"pkg:npm/express-self-destruct"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-self-destruct/MAL-2026-5553.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"b1970350a7bc69bef9cf4061fd46571d344e2c11dde87f0e69ea28e983340eae","path":"scripts/inject.js","tlsh":"c7513254c67a4231eef277fd622a0416ba5bd831365151e0b2dc817d3f9247148e2efe"},{"sha256":"b4a167a57e5f595fb09ec2bdab95c4ffc631d8c462e2c870145279a1239a06cc","path":"package.json","tlsh":"9ef059359818dc3311f5b6a76874410ab0220f1b00a5dc0e77ba00ec87623970c5ebe8"},{"sha256":"e3a1fffbf951e26f15b9839232eba4342d091b529461620e3591315892572231","path":"index.js","tlsh":"da31fe42223ea172d9f177b6f9171853b97bc627206692e0329ca2651fb1015c82bdec"}],"package_integrity":[{"filename":"express-self-destruct-1.0.0.tgz","hashes":{"sha512_sri":"sha512-pjiO3RNNseiPcpXzhETBa0fgZrmU2fOD21RfKr0L5rN4r4ZpftJCADVp5bznJ6EUckS01A2gSUEMgUxp3omZUQ==","sha1":"2d95ac841d657450bebbf049b8bfb78ebc170293"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}