Author here. We were analyzing a compromised contributor account targeting better-auth when we noticed something interesting about the attack vector. Most coverage of supply chain attacks focuses on the "what happened" but I wanted to document the "how it actually works" with the deobfuscated code.
Wwo things stood out:
1. hiding the payload in next.config.mjs is clever because GitHub's UI truncates long lines so the malicious string is literally invisible when scrolling through the file. second, storing the c2 payload on binance smart chain means theres no server to take down. The axios attack was mitigated by removing the GitHub-hosted payload. This one can't be.
2. found 30+ repos with the same signature string. Pretty sure there's way more we didn't catch with basic string matching.
happy to answer questions about the deobfuscation process or the c2 protocol analysis.
> GitHub's UI truncates long lines so the malicious string is literally invisible when scrolling through the file.
It looks like the screen recording was made on a Mac. Does your browser (Chrome?) respect the OS-wide ‘Always show scroll bars’ setting?
After all, it’s not that GitHub is “truncating” the lines, it’s that scroll bars aren’t visible - so it’s not immediately obvious that there’s code outside of the viewport.
The blockchain is a red herring, it's still just connecting to an HTTPS server which serves the payload. Not that different from using any other web host which turns a blind eye to abuse.
Looks like they went through the Binance API, but they didn't have to. They could have connected directly to the P2P network via a DNS seed. It would have added complexity to the client which might have made it easier to detect, and there are plenty of options for APIs that will serve the same data without any scrutiny. Maybe there should be more scrutiny of those APIs, but it wouldn't be a bullet-proof solution.
There's CSAM on the bitcoin blockchain. Anybody who runs a full node is actually distributing CSAM, and there isn't really any way around that without making Bitcoin illegal, and that ship has essentially sailed now that major national pension funds are invested in it.
12 comments
Wwo things stood out: 1. hiding the payload in next.config.mjs is clever because GitHub's UI truncates long lines so the malicious string is literally invisible when scrolling through the file. second, storing the c2 payload on binance smart chain means theres no server to take down. The axios attack was mitigated by removing the GitHub-hosted payload. This one can't be.
2. found 30+ repos with the same signature string. Pretty sure there's way more we didn't catch with basic string matching.
happy to answer questions about the deobfuscation process or the c2 protocol analysis.
> GitHub's UI truncates long lines so the malicious string is literally invisible when scrolling through the file.
It looks like the screen recording was made on a Mac. Does your browser (Chrome?) respect the OS-wide ‘Always show scroll bars’ setting?
After all, it’s not that GitHub is “truncating” the lines, it’s that scroll bars aren’t visible - so it’s not immediately obvious that there’s code outside of the viewport.
> it’s that scroll bars aren’t visible
well truncating or not, that seems to be a major security UI issue...?
There's CSAM on the bitcoin blockchain. Anybody who runs a full node is actually distributing CSAM, and there isn't really any way around that without making Bitcoin illegal, and that ship has essentially sailed now that major national pension funds are invested in it.