Which versions of express-self-destruct2 are malicious?

The following npm versions of express-self-destruct2 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate express-self-destruct2 if I installed it?

Remove express-self-destruct2 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is express-self-destruct2 part of a known attack campaign?

Yes — express-self-destruct2 is associated with the IN-MAL-2026-005389 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect express-self-destruct2 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking express-self-destruct2 and packages like it before any post-install script runs.

Malicious package

express-self-destruct2npm

Malicious code in express-self-destruct2 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5554

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall express-self-destruct2

What this malware does

On install, the package's postinstall hook (scripts/inject.js) locates the installer's project root and main entry (from package.json or fallbacks app.js/server.js), detects the Express app variable, and silently appends a hidden /robots.txt route handler to the installer's own source file. When the route is hit with ?verify=destroy, the injected handler runs npx pm2 delete all, taskkill /IM node.exe /F (Windows) or pkill -f "node.*<cwd>" (Unix), and recursively fs.rms the project's src/ directory. The library's main module (index.js) additionally exports armSelfDestruct(app, options) which registers the same destructive route programmatically: on ?verify=destroy it executes pkill -f "node.*${process.cwd()}" and fs.rm(process.cwd() or process.cwd()/<deleteFolder>, { recursive: true, force: true }) — deleteFolder='' wipes the entire working directory. package.json also declares a dependency on the sibling package express-self-destruct1 despite the README advertising zero dependencies, pulling additional related code into the installer's tree. The combination — install-time source tampering plus a shipped, attacker-triggerable process-kill + rm-rf primitive — is destructive supply-chain malware regardless of advertised purpose.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

c21246439a04267591c998594f92ac1267c86698f5dcc3463ad2cd932abb04dc

Frequently asked questions

No. express-self-destruct2 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005389

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection