Basically, the code listens for a request containing a hardcoded key “DEFAULT_123” and, when triggered, executes a harmful rm-rf* command, deleting all the things within the utility’s root listing.
The second bundle, system-health-sync-api, is a bit more stealthy and complicated, Pandya added. Masquerading as a system monitoring instrument, it collects surroundings and system knowledge, and exposes a number of undocumented HTTP endpoints comparable to /rm-rf-me and /destroy-host that, when hit, execute system-wiping instructions.
The malicious monitoring bundle additionally exfiltrates execution particulars (like hostname, IP, CWD, surroundings hash) by way of electronic mail utilizing hardcoded SMTP credentials, enabling attackers to trace profitable deployments.
