a fake bug fix PR hid a credential stealer in astro.config.mjs that used blockchain to receive commands
a malicious pull request was submitted in a 57k star github repo Egonex-AI/Understand-Anything and the pr description was also convincing, the test plan was fake and the real payload is hidden behind hundreds of whitespace characters on the last diff line. astro.config.mjs runs as a live nodejs module on every dev or preview. there is no sandbox which basically means it will affect more than a postinstall script. The second stage actually pulled commands from a tron blockchain address which is a public RPC nodes only so IP blocking does nothing. submitted by /u/BattleRemote3157 [link] [留言]
本文内容来源于互联网,版权归原作者所有
查看原文