Crypto-Stealer

“The work was divided in three: one to steal, one to search, and one to command.” Executive Summary A threat actor operating under the Bitbucket handle blocwryte targeted developers via a LinkedIn recruitment lure that redirected victims to a fabricated skill-test repository: bitbucket[.]org/blocwryte/challenge. The project presented as a plausible backend Node.js application. Concealed within its middleware layer was a two-stage remote code execution primitive that fetched and executed a heavily obfuscated JavaScript payload from the npoint[.]io free JSON storage service — a staging host documented in prior Contagious Interview reporting — and passed the result directly into a dynamic execution sink named executeHandler. The naming was deliberate misdirection: executeHandler sounds like a routing utility, and the JSON key carrying the payload was named cookie, lending the appearance of ordinary session management to what was in fact a remote code execution call. ...

“The rite began with promise and ended in defilement.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn targeted developers with a bogus technical assignment. The lure repository (mocorex) was hosted on Bitbucket under the fabricated organisation fortegroup-org, using a plausible corporate naming pattern rather than a verified legitimate company identity. The project presented as a standard React/Vite web application, complete with plausible component structure and a commit history spanning multiple apparent contributors. Concealed within it was a horizontally indented loader, public/vite.cookie.js, designed to evade casual code review by pushing the staging call off-screen in a normal editor viewport. In the preserved sample, the staging call appears on line 529 after 380 leading horizontal whitespace characters. ...