[uyzstvqs]

Just quickly deobfuscated the payload as well (this is fun). It's a cross-platform infostealer that would've taken your browser cookies, saved passwords, clipboard, and different files including crypto wallets, documents and images.

Their C2 is 144.172.115[.]116 (RouterHosting LLC / Cloudzy in Utah, USA) on ports 8085-8087 over HTTP and WebSockets.

Relevant: https://www.securityweek.com/iran-run-isp-cloudzy-caught-sup...

> I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.

Always use a VM for this kind of stuff, even if you're interviewing at Google. More advanced threat actors could also fake Github stars or NPM downloads, or even use a hijacked dependency that used to be legitimate.