Wwo things stood out: 1. hiding the payload in next.config.mjs is clever because GitHub's UI truncates long lines so the malicious string is literally invisible when scrolling through the file. second, storing the c2 payload on binance smart chain means theres no server to take down. The axios attack was mitigated by removing the GitHub-hosted payload. This one can't be.
2. found 30+ repos with the same signature string. Pretty sure there's way more we didn't catch with basic string matching.
happy to answer questions about the deobfuscation process or the c2 protocol analysis.
It looks like the screen recording was made on a Mac. Does your browser (Chrome?) respect the OS-wide ‘Always show scroll bars’ setting?
After all, it’s not that GitHub is “truncating” the lines, it’s that scroll bars aren’t visible - so it’s not immediately obvious that there’s code outside of the viewport.
well truncating or not, that seems to be a major security UI issue...?