Hello Bitbucket Staff,
The following URL is used in a malware sample (word document) found in the wild and leads to malicious commands.
hxxps://bitbucket[.]org/!api/2.0/snippets/daddyjob/rEBeKk/eb2e3ae345c3222aa8cbc1fb29140f6e1a59eb66/files/blessed-bypass-1.txt
Entrypoint word document VB object segment leading to the URL (shortened using bit.ly):
https://www.virustotal.com/gui/file/2c8b7232a1e69f86d5871e45eeec535b6c8d55f0f24f03b0ad195c6f3e4c6b0c
Malicious MSHTA script dubbed as "blessed bypass" by the attacker:
https://www.virustotal.com/gui/file/01e5872685e618295048fa7c24dc07139103051d157f1a5590b2d437a39b5c30
Final payload bundle:
https://www.virustotal.com/gui/file/3523667d13f8e6dc4b02a1720508531d5834f321b95ec8e79a42340794ffab3a
Please check the malicious account (supposedly with username "daddyjob") and take proper action.
Best,
Anonymous
Thanks for the report. This repo has been taken down. In the future you can email these directly to abuse@atlassian.com as well. It is ok to report this here in Community as well, but we sometimes miss things here.
Andy
Thank you! I've edited my post so future viewers (and also myself) will see the email address.