Beware of Malicious Code: A Developer’s Experience with a Suspicious Request

Photo by FlyD on Unsplash

I’ve been doing mentoring and freelancing on Codementor for a while now. Recently, I applied for a project titled “Front-end Design Developer (React.js, Three.js)”. The client asked me to install their code locally and “fix the problem,” after which they’d set up a call with their CTO. They shared a Bitbucket link to their codebase.

So, I cloned the repository and ran npm install, but it failed due to a React version mismatch. I let the client know about the issue and asked if fixing the installation error was the main goal of this request. The error was apparently unexpected for him too, and he suggested running the install with the --force flag. He then said that once I did that, he’d explain what needed to be fixed.

This is when things started to feel suspicious.

I took a closer look at the files and found something odd — an obfuscated file named error.js, which was imported into backend/app.js.

Since it was an immediately invoked function expression (IIFE), it would execute as soon as it was imported. This, combined with the client’s refusal to provide any further details, raised major red flags.

I decided to report the situation to Codementor’s support team for further investigation. Meanwhile, the client kept insisting that I proceed with the installation, promising he’d “guide me” through the process afterward.

I had heard of scammers tricking developers into installing malicious code under the guise of fixing a bug. During the installation or run phase, these apps can search for sensitive data like cryptocurrency wallet information on your device, leading to potential theft. While I’m not entirely sure if this was one of those apps, I’m certain that the intentions were malicious.

Luckily, the installation failed, so I don’t think any harm was done. But I’ve definitely learned a lesson: never install code from strangers without inspecting it first (something I admittedly didn’t do well enough this time). As someone on Reddit wisely pointed out, a good practice is to always run unfamiliar code on a virtual machine to protect your system.

Stay safe, and be cautious when dealing with unvetted code!

UPDATE: A smart person on Reddit dug into the code with the help of Gemini, and it turns out it is indeed malicious. It collects user data, crypto wallet information (Exodus), system data, and sends it to a remote server (see the detailed answer below). For the first time in my life I’m happy that the npm install command failed 😅

This is a obfuscated javascript file designed to steal information from a user's computer. Here's a breakdown of the code:

Functions:

• _0x154e - This function seems to be a custom base decoder, likely used to decode obfuscated strings within the script.

• _0x42ffe4 - This function creates a closure that only allows the wrapped function to be executed once.

• _0x3dfc15 - This function uses a self-referential trick to find the string "(((.+)+)+)+$" within its own code and returns the length of the match. This appears to be another obfuscation technique.

• _0x23689e - Similar to _0x42ffe4, this function creates a closure to limit function execution to once.

• _0x56cfa8 - Similar to the previous two, this function creates a closure.

• _0x35d500 - This function replaces the console object methods (log, warn, etc.) with functions that send the logs to a remote server (likely controlled by the attacker).

• _0x47ba2f - This function checks if a file exists.

• _0x4874f1 - This function executes a shell command.

• _0x315f6c - This is the core function responsible for data exfiltration. It takes a directory path, a prefix for filenames, a starting index for profile iteration, and a callback function as arguments. It iterates through browser extension folders (Chrome, Brave, Opera) searching for specific files (likely containing browsing history, cookies, etc.) and sends their contents to the remote server.

• _0x42c59d - This function focuses on extracting data from Firefox profiles. It searches for specific folders within Firefox profiles and identified files containing potentially sensitive information. Similar to _0x315f6c, it sends the content of those files to the server.

• _0x2f8696 - This function targets the Exodus cryptocurrency wallet. It checks for the wallet file based on the operating system and extracts its content, sending it to the server.

• _0xd9f4cd - This function prepares and sends data to the remote server. It creates a data structure containing the data type, a unique identifier, a timestamp, and a flag indicating if it's a multi-file upload. Finally, it sends the data using a POST request.

• _0x162432 - This function iterates through a list of browser data directories based on the operating system and calls _0x315f6c to extract data from each browser.

• _0x44de93 - This function focuses on extracting data from the macOS keychain (login.keychain) and Chrome browser profiles. It searches for specific files and sends their content to the server.

Data Theft:

The script focuses on stealing browsing data from various browsers (Chrome, Brave, Opera, Firefox) and cryptocurrency wallet information (Exodus). It achieves this by:

• Identifying browser extension and profile folders.

• Searching for specific files within those folders (likely containing browsing history, cookies, etc.).

• Extracting the content of those files.

• Sending the extracted data to a remote server controlled by the attacker.

Obfuscation:

The script uses various techniques to obfuscate its code and make it harder to understand:

• Base-decoding for strings.

• Self-referential tricks.

• Closures to limit function execution.

Overall, this script is malicious and should not be run. It can steal sensitive information from your computer and send it to an attacker. If you suspect this script might be running on your system, it's crucial to take immediate action. Here are some recommendations:

• Disconnect your computer from the internet.

• Scan your system with a reputable antivirus program.

• Consider a fresh operating system installation if the malware can't be removed effectively.

• Change your passwords for all online accounts, especially those related to finance and email.

P.S. The links to malicious code I shared may have already been broken, as the authors may have moved the code since then.

Stay updated with the latest JavaScript and software development news! Join my Telegram channel for more insights and discussions: TechSavvy: Frontend & Backend.