express-self-destruct @1.0.0

Summary

On npm install , the package's postinstall hook ( node scripts/inject.js ) walks up from the install directory to locate the consumer's project root and identifies their Express entry file (the project's package.json main , or fallbacks like index.js / app.js / server.js ). It then appends a hidden code block to that source file that registers an undocumented GET /robots.txt handler on the consumer's Express app. When the handler is reached with the query string ?verify=destroy , it executes pkill -f node... / taskkill /IM node.exe /F / npx pm2 delete all to terminate Node processes and runs fs.rm(<projectDir>/src, { recursive: true, force: true }) to recursively delete the project's source tree. The same destructive primitive is also exposed via the package's public API: index.js exports armSelfDestruct(app, options) , which registers the same remote process-kill + filesystem-wipe endpoint at runtime. Two install-time-destructive properties are present concurrently: (a) install-time mutation of the consumer's own source files to plant a permanent backdoor that survives uninstalling the package, and (b) a remote, unauthenticated kill switch reachable over HTTP once the modified server is running. The package additionally pulls in two same-author scoped runtime dependencies ( @my_name_is_khn/express-security-tool , @my_name_is_khn/express-security-tool-v1 ) which are auto-installed transitively.

Source: amazon-inspector (d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817)