uyzstvqs
a month ago
Yes, found the malware in json-mappings. /lib/const.js contains DEV_API_KEY, which is a base64 encoded URL to the actual malware, hosted on an external service. This variable gets used by /lib/caller.js to download and run it. The rest of the project is just copied from pinojs/pino.
dgrcode
a month ago
Thanks a lot for investigating this further. I'll write a cleaner blog post to alert other potential victims. From the package downloads they're hacking around 200 people per week, just with `json-mappings`. I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.
uyzstvqs
a month ago
Just quickly deobfuscated the payload as well (this is fun). It's a cross-platform infostealer that would've taken your browser cookies, saved passwords, clipboard, and different files including crypto wallets, documents and images.
Their C2 is 144.172.115[.]116 (RouterHosting LLC / Cloudzy in Utah, USA) on ports 8085-8087 over HTTP and WebSockets.
Relevant: https://www.securityweek.com/iran-run-isp-cloudzy-caught-sup...
> I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.
Always use a VM for this kind of stuff, even if you're interviewing at Google. More advanced threat actors could also fake Github stars or NPM downloads, or even use a hijacked dependency that used to be legitimate.
reliefcrew
a month ago
Maybe finding this out was the point of the task? IOW, part of the interview... if you find the exploit you pass, if not fail.
Just theorizing.