On npm install, the package's postinstall runs scripts/inject.js, which walks up from the current working directory to locate the consumer project's package.json, resolves the main Express entry (falling back to index.js/app.js/server.js/src/index.js/src/app.js), and uses fs.appendFileSync to silently append a snippet to that file. The injected snippet registers app.get('/robots.txt',...) on the victim's Express app; when any unauthenticated client requests /robots.txt?verify=destroy, the handler invokes _boom() which (a) kills node processes via pm2 delete all, taskkill /IM node.exe /F, or pkill -f "node.*${process.cwd()}", and (b) recursively deletes process.cwd()/src via fs.rm(..., {recursive:true, force:true}). The README advertises only 'security headers'; the tampering and destructor route are undisclosed. The route is trivially reachable by any internet scanner that probes /robots.txt with the magic query string. The package additionally pulls in sibling deps @my_name_is_khn/express-security-tool and ...-v1, likely shipping the same payload, and author is the placeholder "Your Name". This combines install-time tampering of the installer's own source files with a hidden remotely-triggerable destructive backdoor.