MAL-2026-5554

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-self-destruct2/MAL-2026-5554.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5554

Published

2026-06-11T02:50:52Z

Modified

2026-06-11T04:01:29.213715312Z

Summary

Malicious code in express-self-destruct2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c21246439a04267591c998594f92ac1267c86698f5dcc3463ad2cd932abb04dc)

On install, the package's postinstall hook (scripts/inject.js) locates the installer's project root and main entry (from package.json or fallbacks app.js/server.js), detects the Express app variable, and silently appends a hidden /robots.txt route handler to the installer's own source file. When the route is hit with ?verify=destroy, the injected handler runs npx pm2 delete all, taskkill /IM node.exe /F (Windows) or pkill -f "node.*<cwd>" (Unix), and recursively fs.rms the project's src/ directory. The library's main module (index.js) additionally exports armSelfDestruct(app, options) which registers the same destructive route programmatically: on ?verify=destroy it executes pkill -f "node.*${process.cwd()}" and fs.rm(process.cwd() or process.cwd()/<deleteFolder>, { recursive: true, force: true }) — deleteFolder='' wipes the entire working directory. package.json also declares a dependency on the sibling package express-self-destruct1 despite the README advertising zero dependencies, pulling additional related code into the installer's tree. The combination — install-time source tampering plus a shipped, attacker-triggerable process-kill + rm-rf primitive — is destructive supply-chain malware regardless of advertised purpose.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005389",
            "import_time": "2026-06-11T03:48:45.159594098Z",
            "sha256": "c21246439a04267591c998594f92ac1267c86698f5dcc3463ad2cd932abb04dc",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:50:52Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/express-self-destruct2/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / express-self-destruct2

Package

Name: express-self-destruct2; View open source insights on deps.dev
Purl: pkg:npm/express-self-destruct2

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "scripts/inject.js",
            "sha256": "b1970350a7bc69bef9cf4061fd46571d344e2c11dde87f0e69ea28e983340eae",
            "tlsh": "c7513254c67a4231eef277fd622a0416ba5bd831365151e0b2dc817d3f9247148e2efe"
        },
        {
            "path": "package.json",
            "sha256": "77c836910cd27290eec52b87d0f66bf034c3de6e05fdb8a67464df2ddb1b7d2d",
            "tlsh": "0ff0e5319910ad7711fae6e76cb54247b0610f1b11e8dd0e32fb40a8475275708aefec"
        },
        {
            "path": "index.js",
            "sha256": "c27277229ee1fce5cc2a578a6045062b12e2bbf672663280c9b0f3acc4fe94d3",
            "tlsh": "7c51125212fe6062a9f627a2fb172413fc6fc32723a2926479bca3501fb00649436ddd"
        }
    ],
    "package_integrity": [
        {
            "filename": "express-self-destruct2-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-ouCbO3WEZQPt9YCEhVPj089NmOmXzo/VT+EtK3XqRv4tLas1IUOirou8T1GmQX2F4mB/TBx7btiwRl523qkiJA==",
                "sha1": "c5764891269cd0b4768e8e8680e90057db50dcc1"
            }
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-self-destruct2/MAL-2026-5554.json"