!! WARNING READERS: Please no not import the above flow !!
If the instance was accessible to the public, all it takes is a brute force attack, how complicated was your password, was it using words? if so, a simple dictionary cycle will allow access if the attack was prolonged.
What you have posted - has been found many times in unsecured Node RED instances, or instances using sub-par passwords (or none in some cases)
Honestly, https is great, but only to stop eavesdropping, it will not stop an attacker brute forcing the password, especially if using dictionary words.
We usually suggest using a tunnel/VPN type of access.
please see : Safely accessing Node-RED over the Internet
I would suggest reformatting the disk to remove traces, its likely been at work on your system(s)
it might be worth checking over other connected devices on your network
And take your instance off-line! until you have cleaned all your potentially effected systems
And welcome to the forums @iznogoud320 despite the unfortunate circumstance
