Just to add a key missing piece of information here .. this was a node-red instance exposed on the internet with no security applied.
This is why we always go to great lengths to highlight the security implications of exposing NR to the internet. The exec node gives whoever can deploy a flow complete access to the machine running NR. Do not assume that no-one will find your NR instance - this demonstrates NR is now recognised and targeted by people scanning the internet for vulnerabilities.
If you really must expose it to the internet, at the very least ensure you have adminAuth configured so only you can log in and see the editor.
