Essentially, the code listens for a request containing a hardcoded key “DEFAULT_123” and, when triggered, executes a destructive rm-rf* command, deleting everything in the application’s root directory.
The second package, system-health-sync-api, is a little more stealthy and sophisticated, Pandya added. Masquerading as a system monitoring tool, it collects environment and system data, and exposes multiple undocumented HTTP endpoints such as /rm-rf-me and /destroy-host that, when hit, execute system-wiping commands.
The malicious monitoring package also exfiltrates execution details (like hostname, IP, CWD, environment hash) via email using hardcoded SMTP credentials, enabling attackers to track successful deployments.
