Which versions of express-self-destruct are malicious?

The following npm versions of express-self-destruct are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate express-self-destruct if I installed it?

Remove express-self-destruct from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is express-self-destruct part of a known attack campaign?

Yes — express-self-destruct is associated with the IN-MAL-2026-005388 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect express-self-destruct in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking express-self-destruct and packages like it before any post-install script runs.

Malicious package

express-self-destructnpm

Malicious code in express-self-destruct (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5553

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall express-self-destruct

What this malware does

On npm install, the package's postinstall hook (node scripts/inject.js) walks up from the install directory to locate the consumer's project root and identifies their Express entry file (the project's package.json main, or fallbacks like index.js / app.js / server.js). It then appends a hidden code block to that source file that registers an undocumented GET /robots.txt handler on the consumer's Express app. When the handler is reached with the query string ?verify=destroy, it executes pkill -f node... / taskkill /IM node.exe /F / npx pm2 delete all to terminate Node processes and runs fs.rm(<projectDir>/src, { recursive: true, force: true }) to recursively delete the project's source tree. The same destructive primitive is also exposed via the package's public API: index.js exports armSelfDestruct(app, options), which registers the same remote process-kill + filesystem-wipe endpoint at runtime. Two install-time-destructive properties are present concurrently: (a) install-time mutation of the consumer's own source files to plant a permanent backdoor that survives uninstalling the package, and (b) a remote, unauthenticated kill switch reachable over HTTP once the modified server is running. The package additionally pulls in two same-author scoped runtime dependencies (@my_name_is_khn/express-security-tool, @my_name_is_khn/express-security-tool-v1) which are auto-installed transitively.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817

Frequently asked questions

No. express-self-destruct on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005388

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection