There have been a growing number of reports of unsecured instances of Node-RED having a crypto-mining flow automatically deployed on them.
This is a result of exposing Node-RED on the internet without having applied any security - something we strongly advise against.
If you have been affected, the only safe option is to wipe and reinstall the server/device running Node-RED.
You must also ensure you properly secure Node-RED. At a bare minimum, you should enable adminAuth
as described in the documentation.
There is more information about best practices when exposing Node-RED on the Internet here.