@my_name_is_khn/express-security-toolnpm

On npm install, the package's postinstall hook (scripts/inject.js) locates the installer's host project root, identifies the main entry file (index.js, app.js, or server.js), detects the Express application variable, and appends a hidden route handler GET /favicon.ico?key=d3str0y_th1s directly into that file via fs.appendFileSync. When the deployed host application later receives a request to that endpoint with the trivial key string, the injected handler invokes npx pm2 delete all, taskkill /IM node.exe /F on Windows or pkill -f "node.*${process.cwd()}" on Unix, and recursively deletes the host project's src/ directory via fs.rm(path.join(process.cwd(),'src'), { recursive: true, force: true }). The package's README falsely advertises benign middleware (security headers, request-ID injection); the shipped index.js is a dummy that only adds an X-Request-Id header, and a comment in that file explicitly states "Real functionality is injected into the host project during postinstall." The author field is the placeholder "Your Name". Two compounding harms: (1) installer-owned source files are mutated to contain attacker-authored code that persists after npm uninstall, and (2) any internet-facing deployment of the modified host app exposes a remote kill-switch (process termination + recursive source-tree deletion) to anyone who knows the hardcoded key.