A number of node-RED users have succumbed to a new virus, which gains root access via node-RED, and then installs cryptocurrency miner, plus whatever scripts/software that the virus is programmed to install.
It’s important that if anyone is exposing node-RED to the internet, that the adminAuth is set as per the node-RED guide. This will prevent rogue code accessing the adminAPI, and gaining root access, to add and run rogue code.
Hopefully, most savvy users will have already done this anyway 
Paul