Ask HN: Are they trying to hack me?
3 pointsby dgrcodea month ago1 comment
  • uyzstvqsa month ago
    Yes, found the malware in json-mappings. /lib/const.js contains DEV_API_KEY, which is a base64 encoded URL to the actual malware, hosted on an external service. This variable gets used by /lib/caller.js to download and run it. The rest of the project is just copied from pinojs/pino.
    • dgrcodea month ago
      Thanks a lot for investigating this further. I'll write a cleaner blog post to alert other potential victims. From the package downloads they're hacking around 200 people per week, just with `json-mappings`. I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.
      • uyzstvqsa month ago
        Just quickly deobfuscated the payload as well (this is fun). It's a cross-platform infostealer that would've taken your browser cookies, saved passwords, clipboard, and different files including crypto wallets, documents and images.

        Their C2 is 144.172.115[.]116 (RouterHosting LLC / Cloudzy in Utah, USA) on ports 8085-8087 over HTTP and WebSockets.

        Relevant: https://www.securityweek.com/iran-run-isp-cloudzy-caught-sup...

        > I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.

        Always use a VM for this kind of stuff, even if you're interviewing at Google. More advanced threat actors could also fake Github stars or NPM downloads, or even use a hijacked dependency that used to be legitimate.

      • reliefcrewa month ago
        Maybe finding this out was the point of the task? IOW, part of the interview... if you find the exploit you pass, if not fail.

        Just theorizing.