Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Are they trying to hack me?
3 points by dgrcode 9 days ago | hide | past | favorite | 4 comments
I'm in the middle of an interaction that has raised a few red flags, and at this point I'm confident this is part of hacking attempt. But I thought asking here could give me a better perspective from an outsider. Here is the sequence of events:

Someone reaches out in Linkedin claiming to have full time and part time roles that match my profile. I say I could be interested in part time work and they immediately reply that there's a 4k monthly salary offer for 15-20 hours per week.

I reply that's half my hourly rate and they reply the client is almost willing to accept but wants to meet with me first. 1st red flag: no problem with doubling the offer

I accept and book a time with their technical person. 2nd red flag: the calendar had pretty much full availability

They tell me to complete a task before the meeting and provide a Microsoft Teams chat with someone from their team to talk about the task.

The person in the chat sends me screenshot of two issues. I ask if they have the code in github, to which they replied "github?". 3rd red flag

Then the same parson sends me a zip file and ask about my node version. 4th red flag

At this point I'm already suspicious and not willing to run that code on my machine. I get a fresh linux install on an old machine and download the code. I asked Cursor to find anything suspicious, and the only thing was a dependency mismatch between package.json and package-lock.json. I check the package present in package-lock, `json-map-source`, which is marked as a malicious package on https://security.snyk.io/package/npm/json-map-source. This package was removed from npm 18 days ago. Big red flag.

I check what's npm's resolution of that mismatch, and I find it would install `json-mappings`. I check on npm this package was created 18 days ago, and the first and only version is 2.3.8, which happens to be the same version flagged as malicious for the package `json-map-source`. Massive red flag

Furthermore, the package is not on git, it's uploaded by a throwaway email, and the README that is shown in npm list the yarn install command as `yarn add json-map-source` (the malicious package). In the code the package is just loaded and passed as middleware to an express app. The package has `sqlite3` as native dependency, which compiles native code.

As I'm writing this message I really don't see how this could be something other than a hack attempt, but I'd love to have someone else's input on this. Especially from people more knowledgeable about security than me, which is easy.

Thanks!





Yes, found the malware in json-mappings. /lib/const.js contains DEV_API_KEY, which is a base64 encoded URL to the actual malware, hosted on an external service. This variable gets used by /lib/caller.js to download and run it. The rest of the project is just copied from pinojs/pino.

reply


Thanks a lot for investigating this further. I'll write a cleaner blog post to alert other potential victims. From the package downloads they're hacking around 200 people per week, just with `json-mappings`. I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.

reply


Just quickly deobfuscated the payload as well (this is fun). It's a cross-platform infostealer that would've taken your browser cookies, saved passwords, clipboard, and different files including crypto wallets, documents and images.

Their C2 is 144.172.115[.]116 (RouterHosting LLC / Cloudzy in Utah, USA) on ports 8085-8087 over HTTP and WebSockets.

Relevant: https://www.securityweek.com/iran-run-isp-cloudzy-caught-sup...

> I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.

Always use a VM for this kind of stuff, even if you're interviewing at Google. More advanced threat actors could also fake Github stars or NPM downloads, or even use a hijacked dependency that used to be legitimate.

reply


Maybe finding this out was the point of the task? IOW, part of the interview... if you find the exploit you pass, if not fail.

Just theorizing.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: