Essentially, the code listens to a request containing the hardcoded key “Default_123” and executes a destructive RM-RF* command upon triggering, deleting everything in the application root directory.
Pandya added that the second package is the system-hygienic synthesis API, which is more secretive and refined. Disguised as a system monitoring tool, collects environment and system data, and reveals multiple undocumented HTTP endpoints, such as /rmm-rf-me and /destrot /destain-best-host. When hit, the system break command will be executed when hit.
The malicious monitoring package can also use hard-coded SMTP credentials to delete execution details (such as hostname, IP, CWD, environment hash) via email, allowing an attacker to track successful deployments.
