Two harmful npm packages, ‘express-api-sync’ and ‘system-health-sync-api’, have been uncovered posing as helpful utilities while secretly containing code to wipe entire application directories.
According to the security firm Socket, these packages included hidden backdoors that allowed remote actors to execute file deletion commands on affected systems. After being uploaded to npm in May 2025, they were downloaded nearly 1,000 times before being taken down.
The first package activates a deletion command when receiving a secret key through a concealed API endpoint, while the second offers multiple backdoor endpoints and supports both Linux and Windows commands for maximum impact.
In both cases, attackers receive live feedback and email updates with system details and confirmation of the wipe. Unlike typical malware that aims to steal data or money, these wipers appear designed purely for destruction, raising concerns about sabotage or potentially state-backed interference.
Socket describes these incidents as an alarming development in the npm ecosystem, diverging from the usual financially motivated attacks.
Read more...