Do Son 
Two malicious packages were recently discovered within the widely used JavaScript package registry, npm. Beneath their seemingly harmless names lay data-wiping malware designed to erase all files within an application’s working directory upon activation. These libraries—“express-api-sync” and “system-health-sync-api”—were disguised as tools for database synchronization and system health monitoring.
According to Socket, both packages contained backdoors that enabled remote initiation of data destruction routines on infected machines. The malicious code was published to the platform in May 2025 and swiftly removed following alerts from cybersecurity researchers.
By the time of their removal, “express-api-sync” had amassed 855 downloads, while “system-health-sync-api” had been downloaded 104 times. Despite these modest numbers, the potential for catastrophic damage was severe: upon execution, each package triggered a full wipe of the application’s working directory.
The first package created a covert POST endpoint at /api/this/that, listening for requests containing the secret key DEFAULT_123. Once received, the backdoor executed the command rm -rf *, irreversibly erasing all contents within the application directory—including source code, configurations, uploaded assets, and local databases. The outcome was then relayed back to the attacker via an HTTP response indicating whether the purge was successful.
The second package, “system-health-sync-api,” employed a more elaborate and multi-layered attack strategy. It registered several endpoints:
GET /_/system/health— returns the current server status;POST /_/system/health— serves as the primary trigger for file deletion;POST /_/sys/maintenance— a fallback trigger.
This backdoor used a different secret key—HelloWorld. Upon receiving the correct key, the malware scanned the host system to identify its operating system and then executed the appropriate destruction command: rm -rf * for Linux and rd /s /q . for Windows. This cross-platform versatility made it particularly dangerous.
After completing its destructive routine, the module emailed the attacker at anupm019@gmail.com, including the backend server’s URL, the device’s digital fingerprint, and a report of the operation’s success. The attacker also received an immediate HTTP response confirming the deletion was complete.
The appearance of such data-wiping packages in npm is a rare and alarming development. Unlike conventional malware that steals data or mines cryptocurrency, these tools are built solely for devastation. Experts emphasize that such behavior points to motives beyond financial gain—suggesting sabotage, elimination of rivals, or even state-sponsored interference.
Security researchers warn that the presence of such packages in a public registry constitutes a grave threat to the entire JavaScript ecosystem. Given the vast reliance on automated dependency management, attacks of this nature could inflict irreparable harm, erasing developers’ projects and data with no possibility of recovery.
Donate