MAL-2026-5553

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-self-destruct/MAL-2026-5553.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5553
Published
2026-06-11T02:50:48Z
Modified
2026-06-11T04:01:32.108343850Z
Summary
Malicious code in express-self-destruct (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817)

On npm install, the package's postinstall hook (node scripts/inject.js) walks up from the install directory to locate the consumer's project root and identifies their Express entry file (the project's package.json main, or fallbacks like index.js / app.js / server.js). It then appends a hidden code block to that source file that registers an undocumented GET /robots.txt handler on the consumer's Express app. When the handler is reached with the query string ?verify=destroy, it executes pkill -f node... / taskkill /IM node.exe /F / npx pm2 delete all to terminate Node processes and runs fs.rm(<projectDir>/src, { recursive: true, force: true }) to recursively delete the project's source tree. The same destructive primitive is also exposed via the package's public API: index.js exports armSelfDestruct(app, options), which registers the same remote process-kill + filesystem-wipe endpoint at runtime. Two install-time-destructive properties are present concurrently: (a) install-time mutation of the consumer's own source files to plant a permanent backdoor that survives uninstalling the package, and (b) a remote, unauthenticated kill switch reachable over HTTP once the modified server is running. The package additionally pulls in two same-author scoped runtime dependencies (@my_name_is_khn/express-security-tool, @my_name_is_khn/express-security-tool-v1) which are auto-installed transitively.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005388",
            "import_time": "2026-06-11T03:48:45.022490833Z",
            "sha256": "d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:50:48Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / express-self-destruct

Package

Name
express-self-destruct
View open source insights on deps.dev
Purl
pkg:npm/express-self-destruct

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "scripts/inject.js",
            "sha256": "b1970350a7bc69bef9cf4061fd46571d344e2c11dde87f0e69ea28e983340eae",
            "tlsh": "c7513254c67a4231eef277fd622a0416ba5bd831365151e0b2dc817d3f9247148e2efe"
        },
        {
            "path": "package.json",
            "sha256": "b4a167a57e5f595fb09ec2bdab95c4ffc631d8c462e2c870145279a1239a06cc",
            "tlsh": "9ef059359818dc3311f5b6a76874410ab0220f1b00a5dc0e77ba00ec87623970c5ebe8"
        },
        {
            "path": "index.js",
            "sha256": "e3a1fffbf951e26f15b9839232eba4342d091b529461620e3591315892572231",
            "tlsh": "da31fe42223ea172d9f177b6f9171853b97bc627206692e0329ca2651fb1015c82bdec"
        }
    ],
    "package_integrity": [
        {
            "filename": "express-self-destruct-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-pjiO3RNNseiPcpXzhETBa0fgZrmU2fOD21RfKr0L5rN4r4ZpftJCADVp5bznJ6EUckS01A2gSUEMgUxp3omZUQ==",
                "sha1": "2d95ac841d657450bebbf049b8bfb78ebc170293"
            }
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-self-destruct/MAL-2026-5553.json"