{"id":571,"date":"2025-09-24T16:28:50","date_gmt":"2025-09-24T16:28:50","guid":{"rendered":"https:\/\/kurtgrung.com\/blog\/?p=571"},"modified":"2025-09-24T16:49:21","modified_gmt":"2025-09-24T16:49:21","slug":"nullvoid","status":"publish","type":"post","link":"https:\/\/kurtgrung.com\/blog\/nullvoid\/","title":{"rendered":"NullVoid"},"content":{"rendered":"\n<div class=\"wp-block-cover\" style=\"min-height:254px;aspect-ratio:unset;\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" class=\"wp-block-cover__image-background wp-image-583\" alt=\"\" src=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/NullVoid-2.png\" data-object-fit=\"cover\" srcset=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/NullVoid-2.png 1024w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/NullVoid-2-300x300.png 300w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/NullVoid-2-150x150.png 150w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/NullVoid-2-768x768.png 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\"><\/span><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-text-align-center has-large-font-size\"><\/p>\n<\/div><\/div>\n\n\n\n<p><br>I recently applied for a project on a freelancing portal. They asked to invite me to the GitHub repo. The project is dense and had many files, after running the <strong>NullVoid<\/strong> scan it found malicious hidden code designed to steal cryptocurrency. This all stems to the recent <strong>NPM supply chain attacks<\/strong>. Thats what got me curious about this. Apparently these are connected to the criminal-syndicate <strong>Lazarus<\/strong> and these attacks are coming out of North Korea \ud83c\uddf0\ud83c\uddf5. <br><br>So I decided to create a malware scanner for malicious obfuscated code detection for these exact malicious attacks. <br><br><br><strong>NullVoid<\/strong> <br><br>\ud83d\udd17 <a href=\"https:\/\/github.com\/kurt-grung\/NullVoid\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/kurt-grung\/NullVoid<\/a><\/p>\n\n\n\n<p>\ud83d\udd17 <a href=\"https:\/\/www.npmjs.com\/package\/nullvoid\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/www.npmjs.com\/package\/nullvoid<\/a><br><br><br><strong>NullVoid Scan<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>nullvoid scan\n\n\u280b \ud83d\udd0d Scanning ...\n\n\ud83d\udcc1 auth.js (detected: OBFUSCATED_CODE, SUSPICIOUS_MODULE, MALICIOUS_CODE_STRUCTURE)\n\n\u2714 \u2705 Scan completed\n\n\ud83d\udd0d NullVoid Scan Results\n\n\u26a0\ufe0f  2 high-severity threat(s) detected:\n\n1. MALICIOUS_CODE_STRUCTURE: Code structure indicates malicious obfuscated content\n   Package: \/Users\/kurtgrung\/Desktop\/FE\/server\/routes\/api\/auth.js\n   Line: 57\n   Sample: module.exports = router;                                                                            ...\n   Severity: CRITICAL\n   Details: MALICIOUS CODE DETECTED: Variable name mangling detected (2 instances). Massive obfuscated code blob detected (5681 characters). Hex encoding arrays detected (9 instances). Anti-debugging patterns detected. Code appended to legitimate module.exports detected. High entropy detected (5.52). Confidence: 130%\n\n2. SUSPICIOUS_MODULE: Suspicious module require: fs\n   Package: \/Users\/kurtgrung\/Desktop\/FE\/server\/routes\/api\/auth.js\n   Severity: CRITICAL\n   Details: Code requires suspicious module: fs\n\n\n\ud83d\udcc1 Directory Structure:\n   61 directories: client, server\n   309 files: README.md, client\/README.md, client\/package.json, client\/public\/favicon.ico, client\/public\/img\/bat.jpg...\n\n\ud83d\udcca Dependency Tree Analysis:\n   Total packages scanned: 0\n   Max depth reached: 0\n   Packages with threats: 0\n   Deep dependencies (depth \u22652): 0\n\n\ud83d\udcca Scanned 1 directory(s), 181 file(s) in 1966ms\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9\">nullvoid<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">scan<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\u280b \ud83d\udd0d <\/span><span style=\"color: #D8DEE9\">Scanning<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">...<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\ud83d\udcc1 <\/span><span style=\"color: #D8DEE9\">auth<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">js<\/span><span style=\"color: #D8DEE9FF\"> (<\/span><span style=\"color: #D8DEE9\">detected<\/span><span style=\"color: #D8DEE9FF\">: <\/span><span style=\"color: #D8DEE9\">OBFUSCATED_CODE<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">SUSPICIOUS_MODULE<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">MALICIOUS_CODE_STRUCTURE<\/span><span style=\"color: #D8DEE9FF\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\u2714 \u2705 <\/span><span style=\"color: #D8DEE9\">Scan<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">completed<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\ud83d\udd0d <\/span><span style=\"color: #D8DEE9\">NullVoid<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Scan<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Results<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\u26a0\ufe0f  <\/span><span style=\"color: #B48EAD\">2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">high<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #D8DEE9\">severity<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">threat<\/span><span style=\"color: #D8DEE9FF\">(<\/span><span style=\"color: #D8DEE9\">s<\/span><span style=\"color: #D8DEE9FF\">) detected<\/span><span style=\"color: #ECEFF4\">:<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #B48EAD\">1.<\/span><span style=\"color: #D8DEE9FF\"> MALICIOUS_CODE_STRUCTURE<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Code<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">structure<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">indicates<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">malicious<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">obfuscated<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">content<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Package<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">Users<\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">kurtgrung<\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">Desktop<\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">FE<\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">server<\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">routes<\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">api<\/span><span style=\"color: #81A1C1\">\/<\/span><span style=\"color: #D8DEE9\">auth<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9\">js<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Line<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">57<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Sample<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">module<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #8FBCBB\">exports<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">router<\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #D8DEE9FF\">                                                                            <\/span><span style=\"color: #81A1C1\">...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Severity<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">CRITICAL<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Details<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">MALICIOUS<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">CODE<\/span><span style=\"color: #D8DEE9FF\"> DETECTED<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Variable<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">name<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">mangling<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">detected<\/span><span style=\"color: #D8DEE9FF\"> (<\/span><span style=\"color: #B48EAD\">2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">instances<\/span><span style=\"color: #D8DEE9FF\">)<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Massive<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">obfuscated<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">code<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">blob<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">detected<\/span><span style=\"color: #D8DEE9FF\"> (<\/span><span style=\"color: #B48EAD\">5681<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">characters<\/span><span style=\"color: #D8DEE9FF\">)<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Hex<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">encoding<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">arrays<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">detected<\/span><span style=\"color: #D8DEE9FF\"> (<\/span><span style=\"color: #B48EAD\">9<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">instances<\/span><span style=\"color: #D8DEE9FF\">)<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Anti<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #D8DEE9\">debugging<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">patterns<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">detected<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Code<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">appended<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">to<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">legitimate<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">module<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #8FBCBB\">exports<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">detected<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">High<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">entropy<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">detected<\/span><span style=\"color: #D8DEE9FF\"> (<\/span><span style=\"color: #B48EAD\">5.52<\/span><span style=\"color: #D8DEE9FF\">)<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Confidence<\/span><span style=\"color: #D8DEE9FF\">: <\/span><span style=\"color: #B48EAD\">130<\/span><span style=\"color: #81A1C1\">%<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #B48EAD\">2.<\/span><span style=\"color: #D8DEE9FF\"> SUSPICIOUS_MODULE<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">Suspicious<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">module<\/span><span style=\"color: #D8DEE9FF\"> require: fs<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Package: \/Users\/kurtgrung\/Desktop\/FE\/server\/routes\/api\/auth<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">js<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Severity: CRITICAL<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Details: Code requires suspicious module: fs<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\ud83d\udcc1 Directory Structure:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   61 directories: client, server<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   309 files: README<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">md, client\/README<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">md, client\/package<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">json, client\/public\/favicon<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">ico, client\/public\/img\/bat<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">jpg<\/span><span style=\"color: #ECEFF4\">...<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\ud83d\udcca Dependency Tree Analysis:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Total packages scanned: 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Max depth reached: 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Packages with threats: 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">   Deep dependencies (depth \u22652): 0<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">\ud83d\udcca Scanned 1 directory(s), 181 file(s) in 1966ms<\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<p><br>\ud83d\udcc1 auth.js (detected: OBFUSCATED_CODE, SUSPICIOUS_MODULE, MALICIOUS_CODE_STRUCTURE)<br><br>It found the malicious code hidden inside the `auth.js`<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"174\" src=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-1024x174.png\" alt=\"\" class=\"wp-image-585\" srcset=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-1024x174.png 1024w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-300x51.png 300w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-768x131.png 768w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js.png 1434w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><br>Hidden malware when reviewing the code will be hard to spot this! <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"201\" src=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-attack-1024x201.png\" alt=\"\" class=\"wp-image-589\" srcset=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-attack-1024x201.png 1024w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-attack-300x59.png 300w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-attack-768x151.png 768w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-attack-1536x302.png 1536w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-attack-2048x402.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><br>Hidden code uncovered <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"206\" src=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-malware-attack-1024x206.png\" alt=\"\" class=\"wp-image-587\" srcset=\"https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-malware-attack-1024x206.png 1024w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-malware-attack-300x60.png 300w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-malware-attack-768x155.png 768w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-malware-attack-1536x309.png 1536w, https:\/\/kurtgrung.com\/blog\/wp-content\/uploads\/2025\/09\/auth_js-hidden-malware-attack-2048x413.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><br><br>BitDefender picked it up as <strong>&#8220;Generic.LazarusScam.A.73D6628A&#8221;<\/strong><br><br><a href=\"https:\/\/defensestorm.com\/insights\/from-job-offer-to-cyber-threat-inside-the-lazarus-groups-linkedin-scam\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/defensestorm.com\/insights\/from-job-offer-to-cyber-threat-inside-the-lazarus-groups-linkedin-scam\/<\/a><br><a href=\"https:\/\/www.linkedin.com\/pulse\/lazarus-groups-fake-linkedin-job-offers-malware-delivery-merton-uuk3c\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/www.linkedin.com\/pulse\/lazarus-groups-fake-linkedin-job-offers-malware-delivery-merton-uuk3c\/<\/a><br><a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/<\/a><br><a href=\"https:\/\/blog.barracuda.com\/2025\/09\/23\/lazarus-group--a-criminal-syndicate-with-a-flag\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/blog.barracuda.com\/2025\/09\/23\/lazarus-group&#8211;a-criminal-syndicate-with-a-flag<\/a><br><br><br><strong>NPM supply chain attacks <br><\/strong><br>In recent years, supply chain attacks have emerged as one of the most significant security threats facing developers and organizations worldwide. These sophisticated attacks exploit the trust we place in third-party dependencies, allowing malicious packages to infiltrate projects through seemingly legitimate dependencies. The consequences can be devastating from data breaches and financial losses to complete system compromise.<\/p>\n\n\n\n<p>As developers, we rely heavily on npm packages to accelerate our development process. However, this convenience comes with inherent risks. Malicious actors are increasingly targeting the software supply chain, creating packages that appear legitimate but contain hidden malware, wallet hijacking code, or other malicious functionality.<\/p>\n\n\n\n<p><br><a href=\"https:\/\/www.aikido.dev\/blog\/npm-debug-and-chalk-packages-compromised\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/www.aikido.dev\/blog\/npm-debug-and-chalk-packages-compromised<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently applied for a project on a freelancing portal. They asked to invite me to the GitHub repo. The project is dense and had many files, after running the NullVoid scan it found malicious hidden code designed to steal cryptocurrency. This all stems to the recent NPM supply chain attacks. Thats what got me [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,178],"tags":[187,188,186,184,185,191,194,180,179,192,195,182,189,183,181,193],"class_list":["post-571","post","type-post","status-publish","format-standard","hentry","category-code","category-security","tag-criminal-syndicate","tag-cyber-attack","tag-lazarus","tag-lazarus-group","tag-lazarusscam","tag-malicious-code-2","tag-malicious_code_structure","tag-malware","tag-nullvoid","tag-obfuscated","tag-obfuscated_code","tag-security","tag-security-research","tag-security-tools","tag-supply-chain-attacks","tag-suspicious_module"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/posts\/571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/comments?post=571"}],"version-history":[{"count":11,"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/posts\/571\/revisions"}],"predecessor-version":[{"id":598,"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/posts\/571\/revisions\/598"}],"wp:attachment":[{"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/media?parent=571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/categories?post=571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kurtgrung.com\/blog\/wp-json\/wp\/v2\/tags?post=571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}