Basically, the code listens for a request containing a hardcoded key “DEFAULT_123” and, when triggered, executes a harmful rm-rf* command, deleting every thing within the software’s root listing.
The second bundle, system-health-sync-api, is a bit more stealthy and complicated, Pandya added. Masquerading as a system monitoring device, it collects atmosphere and system knowledge, and exposes a number of undocumented HTTP endpoints similar to /rm-rf-me and /destroy-host that, when hit, execute system-wiping instructions.
The malicious monitoring bundle additionally exfiltrates execution particulars (like hostname, IP, CWD, atmosphere hash) through electronic mail utilizing hardcoded SMTP credentials, enabling attackers to trace profitable deployments.
