Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Malware Abuse Using Bitbucket Snippets API

Lilavaz atheropids
Lilavaz atheropids October 19, 2022

Hello Bitbucket Staff,

The following URL is used in a malware sample (word document) found in the wild and leads to malicious commands.

hxxps://bitbucket[.]org/!api/2.0/snippets/daddyjob/rEBeKk/eb2e3ae345c3222aa8cbc1fb29140f6e1a59eb66/files/blessed-bypass-1.txt

Entrypoint word document VB object segment leading to the URL (shortened using bit.ly):

https://www.virustotal.com/gui/file/2c8b7232a1e69f86d5871e45eeec535b6c8d55f0f24f03b0ad195c6f3e4c6b0c

 

Malicious MSHTA script dubbed as "blessed bypass" by the attacker:

https://www.virustotal.com/gui/file/01e5872685e618295048fa7c24dc07139103051d157f1a5590b2d437a39b5c30

Final payload bundle:

https://www.virustotal.com/gui/file/3523667d13f8e6dc4b02a1720508531d5834f321b95ec8e79a42340794ffab3a

 

Please check the malicious account (supposedly with username "daddyjob") and take proper action.

 

This post pops up here because Bitbucket still offers NO official way to report abuse.

Please report abuse incidents to abuse@atlassian.com according to staff members.

 

Best,
Anonymous

Answer
Watch
Like Be the first to like this
765 views

3 answers

2 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 19, 2022

Thanks for the report.  This repo has been taken down.  In the future you can email these directly to abuse@atlassian.com as well.  It is ok to report this here in Community as well, but we sometimes miss things here.

Andy

Reply
1 vote
Lilavaz atheropids
Lilavaz atheropids October 19, 2022

Thank you! I've edited my post so future viewers (and also myself) will see the email address.

Reply
1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 19, 2022

Atlassian have asked us to forward any malicious email to them at abuse@atlassian.com

That includes emails about, or from, malicious code hosted on Bitbucket, and even if you've not had an email and are getting this malware through a different route, you can still report the repository / user / service to the same address.

They don't need you to explain much either - if it's an email, just forward it, no commentary needed.  If it's a malware report, they only really need to know what the repository is (but the detail you've given in your post here would be very useful to them, and probably help get it taken down more easily).

But, don't email this one, I've asked an Atlassian to take a look at your post, so they don't need another report via email.  This way it also feeds into the things Atlassian are looking at to improve their abuse handling systems.

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.