Two malicious npm packages, express-api-sync and system-health-sync-api, contain backdoors designed to wipe out entire production environments when triggered. These packages use hidden endpoints, cross-platform destruction commands, and covert email communication channels to gather intelligence and execute system destruction. #express-api-sync #system-health-sync-api #botsailer #npm
Keypoints
- Two npm packages, express-api-sync and system-health-sync-api, were found to contain destructive backdoors capable of deleting entire application directories.
- express-api-sync uses a single hidden endpoint (/api/this/that) triggered by the hardcoded key “DEFAULT_123” to run the Unix command rm -rf * for file deletion.
- system-health-sync-api is more sophisticated, supporting multiple frameworks, multi-platform deletion commands, and includes extensive target system information gathering before destruction.
- system-health-sync-api uses a covert SMTP email channel with hardcoded credentials to send detailed system and attack status information to the threat actor’s email.
- The malware implements triple redundant endpoints for destruction and provides helpful error messages to aid attackers in correctly triggering the backdoor.
- The threat actor operating under the npm alias botsailer uses the email anupm019@gmail[.]com for package registration and command-and-control communication.
- This attack demonstrates a shift towards sabotage-focused attacks, prioritizing complete data destruction over theft.
MITRE Techniques
- [T1195.002] Supply Chain Compromise – Compromise of software supply chain by publishing malicious npm packages masquerading as legitimate utilities (“Two malicious npm packages that masquerade as legitimate utilities”).
- [T1485] Data Destruction – Execution of destructive commands to delete all files in the application directory (“exec(‘rm -rf *’,{cwd:process.cwd()})”, “rd /s /q .”).
- [T1071.003] Application Layer Protocol: Mail Protocols – Use of SMTP for covert command and control communication and data exfiltration (“package uses email as a covert communication channel…”, “transporter.sendMail(…)”).
- [T1082] System Information Discovery – Collection of system and environment data including hostname, IP, process ID, and environment variable hashes before destruction (“The package harvests extensive information about the target system…”).
- [T1041] Exfiltration Over C2 Channel – Sending system fingerprints and backend URL via email to attacker-controlled address (“Every significant event triggers an email to anupm019@gmail[.]com…”).
Indicators of Compromise
- [Malicious Packages] npm package names used for backdoors – express-api-sync, system-health-sync-api
- [Email Addresses] Threat actor communication and registration – anupm019@gmail[.]com
- [Network] SMTP command and control server – smtp[.]hostinger[.]com:465
- [Authentication Keys] Backdoor activation keys – DEFAULT_123 (express-api-sync), HelloWorld (system-health-sync-api)
- [Endpoints] Malicious HTTP endpoints for triggering payloads – POST /api/this/that, GET //system/health, POST //system/health, POST /_/sys/maintenance
Read more: https://socket.dev/blog/destructive-npm-packages-enable-remote-system-wipe