@my_name_is_khn/express-security-tool-v3 @1.0.0

Summary

On npm install , the package's postinstall runs scripts/inject.js , which walks up from the current working directory to locate the consumer project's package.json , resolves the main Express entry (falling back to index.js / app.js / server.js / src/index.js / src/app.js ), and uses fs.appendFileSync to silently append a snippet to that file. The injected snippet registers app.get('/robots.txt',...) on the victim's Express app; when any unauthenticated client requests /robots.txt?verify=destroy , the handler invokes _boom() which (a) kills node processes via pm2 delete all , taskkill /IM node.exe /F , or pkill -f "node.*${process.cwd()}" , and (b) recursively deletes process.cwd()/src via fs.rm(..., {recursive:true, force:true}) . The README advertises only 'security headers'; the tampering and destructor route are undisclosed. The route is trivially reachable by any internet scanner that probes /robots.txt with the magic query string. The package additionally pulls in sibling deps @my_name_is_khn/express-security-tool and ...-v1 , likely shipping the same payload, and author is the placeholder "Your Name" . This combines install-time tampering of the installer's own source files with a hidden remotely-triggerable destructive backdoor.

Source: amazon-inspector (42987119346b57a7014465a5a7bec3c00d1928e7e41d999152aa4e2f814c298e)