Two malicious npm packages, 'express-api-sync' and 'system-health-sync-api,' have been found to act as data wipers that delete entire application directories instead of functioning as advertised utilities. These packages, which have been removed from npm, contained backdoors that allowed attackers to execute destructive commands remotely, raising concerns about potential sabotage or state-level disruptions in the software ecosystem.