Infostealer

The chain was not in the hook this time; it was hidden behind the contract. Executive Summary This report analyzes a recruitment-themed developer task delivered through a Bitbucket repository operating under the name estokkyam.The target was contacted through LinkedIn with a job offer and was given a Google Doc containing task instructions and a Bitbucket repository link. The repository presented as a plausible React/Node.js blockchain application named YAMTOKEN. The malicious behavior was not implemented through Git hooks or VS Code workspace tasks. Instead, the execution chain was hidden in the backend server path. Running the project through the normal npm workflow starts the backend with node server. The backend loads the authentication route, which loads authentication middleware, which imports server/config/getContract.js. That module contains a function named callHashedContract(), and the auth middleware invokes it during module initialization. ...

The face was changed, yet the hand was known. Executive Summary A threat actor impersonating DLabs Hungary conducted a targeted recruitment campaign against a developer, using a purported CTO/team lead opportunity to deliver a malicious GitHub repository. The legitimate DLabs Hungary company is not assessed to be involved in this activity; the name was used as social-engineering cover by the threat actor. The repository was shared during a live interview call, with access granted long enough for the target to clone it. The repository contained VS Code workspace tasks configured with runOn: folderOpen, meaning the tasks could run when the folder was opened in a trusted workspace and automatic task execution was allowed. ...

“The blueprints were genuine. The building was not.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn approached the researcher with a Technical Manager role at a fabricated DeFi company, offering $25,000 USD per month and directing the target to a Calendly booking page operated under the handle devs_empire. The actor shared a Bitbucket repository - lmng2026 - as the basis of a technical interview, presenting a polished, fully-designed DeFi platform called Lumanagi to establish credibility. The repository contained two independent execution paths: a VS Code folder-open task and a build-chain payload hidden in tailwind.config.js. The first path requires only opening the repository in a trusted VS Code workspace where automatic tasks are allowed; the second executes during normal frontend start or build activity. Neither requires the target to explicitly run the concealed payload file. ...