Hacker News new | ask | show | jobs
by Aurornis 479 days ago
The web hook is in the templated script

From the article:

> The "trust" value, when base64-decoded, turns out to be a discord webhook link: myhook = 'https://discord.com/api/webhooks/1050437982584324138/VJByvmB...'

Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.

Discord then identifies the Discords matching those webhooks.

It’s not some hard static analysis problem. These are python scripts with a base64 encoded variable. I don’t understand why you’re making it out to be something other than what the article says.
1 comments
catsma21 479 days ago
the article details how github is spammed by multiple people who read one guide. not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python. out of those that are python, some are obfuscated with this love/trust/joy obfuscator, some use pyarmor, some are compiled with nuitka. no, the guide does not instruct you which malware strain to use, only how to game github for traffic.

if it was that simple it would be a solved problem. i encourage you to give it a shot

link
Aurornis 479 days ago
> not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python

No, the article is specifically about 1115 malware repos built from the same template

This is taken from the intro of the article:

> Wrote a script that helped me find 1115 repositories built based on the instructions from the guide.

I don’t know what you think you’re talking about, but you’re not talking about the article that I’m talking about.

The template repo is here: https://github.com/Jalynn0922/steal-cook

It contains the main.py script that the article is talking about.

link
catsma21 479 days ago
NOT the same malware template. article only details how "This first repo I found" works, not all of them. look at how his github searching script works in "Scraping Github" - there is no way to determine what malware is in the repo, only that it is doing keyword stuffing.
link