OSV-MAL-2026-5554

Malicious code in express-self-destruct2 (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c21246439a04267591c998594f92ac1267c86698f5dcc3463ad2cd932abb04dc) On install, the package's postinstall hook (scripts/inject.js) locates the installer's project root and main entry (from package.json or fallbacks app.js/server.js), detects the Express `app` variable, and silently appends a hidden `/robots.txt` route handler to the installer's own source file. When the route is hit with `?verify=destroy`, the injected handler runs `npx pm2 delete all`, `taskkill /IM node.exe /F` (Windows) or `pkill -f "node.*<cwd>"` (Unix), and recursively `fs.rm`s the project's `src/` directory. The library's main module (index.js) additionally exports `armSelfDestruct(app, options)` which registers the same destructive route programmatically: on `?verify=destroy` it executes `pkill -f "node.*${process.cwd()}"` and `fs.rm(process.cwd() or process.cwd()/<deleteFolder>, { recursive: true, force: true })` — `deleteFolder=''` wipes the entire working directory. package.json also declares a dependency on the sibling package `express-self-destruct1` despite the README advertising `zero dependencies`, pulling additional related code into the installer's tree. The combination — install-time source tampering plus a shipped, attacker-triggerable process-kill + rm-rf primitive — is destructive supply-chain malware regardless of advertised purpose.