> An Istanbul-based bug bounty hunter hypothesized that the npm projects ran by the developer effectively paved the means for the attacker to deploy a reverse shell, by opening up port 5000 on his machine that began "listening" for connections.
Is something blindly connecting to port 5000 and sending a secret payload without verifying what's connected on the other end? That seems like a recipe for chaos.
But that's what a reverse shell does - the point here was to covertly place a listening service that could be reached from the internet and execute arbitrary code so that an attacker could control the machine.
Maybe I'm misunderstanding your question though, can you clarify?
I think it's hard to really understand the attack without seeing the code, but listening on a port (at least the chunk of code rendered in the article) is not sufficient to make the machine accessible on the internet unless the wallet machine is publicly addressable, in which case I think running untrusted code is the least of the dev's concerns.
I had guessed that perhaps it's intercepting port 5000 and something else like Metamask was connecting to 5000 assuming something more innocuous was running on it, then forwarding that information? But like I said not sure without seeing the code.
> is not sufficient to make the machine accessible on the internet unless the wallet machine is publicly addressable, in which case I think running untrusted code is the least of the dev's concerns
Every router I've met still runs a firewall that blocks incoming traffic by default IPv6 or no. My guess on this kind of thing would generally be that the infected computer reacher out to a service controlled by the hacker to establish the shell and the reporter misunderstood, or that the dev connected to a VPN controlled by the attacker, effectively bypassing the firewall, otherwise something is really badly configured on the devs end.
A malicious npm package created by the attacker specifically crafted to open up a port that listens and executes commands and otherwise untrusted or unverified code on the victim’s machine.
> The Upwork job posting asks the applicant to "fix bugs and resopnsiveness [sic] on website" and claims to pay between $15 and $20 hourly for a task expected to take under a month.
A take-home for a web3 dev-job that pays less than California's minimum wage (as of April 2024) is a story in itself.
Yikes just get to the fucking point, article. They tricked him into running a reverse shell, then probably found his keys somewhere locally on his computer.
The writing here, and the subject of the writing, has me convinced that people in "web 3" have no clue what they are doing.
The victim here seems to be _very_ confused about how this could have happened until others clarify it for them. Like, you downloaded and ran someone else's code - of course it has a reverse shell in it. Why aren't you capable of reading JS well enough to see that? Surely it wasn't that well obfuscated? And even if it was, why is it so confusing?
13 comments
[ 0.20 ms ] story [ 83.7 ms ] threadIs something blindly connecting to port 5000 and sending a secret payload without verifying what's connected on the other end? That seems like a recipe for chaos.
Maybe I'm misunderstanding your question though, can you clarify?
I had guessed that perhaps it's intercepting port 5000 and something else like Metamask was connecting to 5000 assuming something more innocuous was running on it, then forwarding that information? But like I said not sure without seeing the code.
Whole raison d’etre of IPv6 is to enable that.
Saved you the click.
A take-home for a web3 dev-job that pays less than California's minimum wage (as of April 2024) is a story in itself.
The writing here, and the subject of the writing, has me convinced that people in "web 3" have no clue what they are doing.
The victim here seems to be _very_ confused about how this could have happened until others clarify it for them. Like, you downloaded and ran someone else's code - of course it has a reverse shell in it. Why aren't you capable of reading JS well enough to see that? Surely it wasn't that well obfuscated? And even if it was, why is it so confusing?