The malware continuously monitors its access to GitHub (for exfiltration) and npm (for propagation). If an infected system loses access to both channels simultaneously, it triggers immediate data destruction on the compromised machine. On Windows, it attempts to delete all user files and overwrite disk sectors. On Unix systems, it uses shred to overwrite files before deletion, making recovery nearly impossible.
shred is intended to overwrite the actual on-disk contents by overwriting data in the file prior to unlinking the files. However, shred isn't as effective on journalled filesystems, because writing in this fashion doesn't overwrite the contents on-disk like this. Normally, ext3, ext4, and btrfs are journalled. Most people are not running ext2 in 2025, save maybe on their /boot partition, if they have that as a separate partition.