I’ve been doing mentoring and freelancing on Codementor for a while now. Recently, I applied for a project titled “Front-end Design Developer (React.js, Three.js)”. The client asked me to install their code locally and “fix the problem,” after which they’d set up a call with their CTO. They shared a Bitbucket link to their codebase.

So, I cloned the repository and ran npm install, but it failed due to a React version mismatch. I let the client know about the issue and asked if fixing the installation error was the main goal of this request. The error was apparently unexpected for him too, and he suggested running the install with the --force flag. He then said that once I did that, he’d explain what needed to be fixed.

This is when things started to feel suspicious.

I took a closer look at the files and found something odd — an obfuscated file named error.js, which was imported into backend/app.js.

Since it was an immediately invoked function expression (IIFE), it would execute as soon as it was imported. This, combined with the client’s refusal to provide any further details, raised major red flags.

I decided to report the situation to Codementor’s support team for further investigation. Meanwhile, the client kept insisting that I proceed with the installation, promising he’d “guide me” through the process afterward.

I had heard of scammers tricking developers into installing malicious code under the guise of fixing a bug. During the installation or run phase, these apps can search for sensitive data like cryptocurrency wallet information on your device, leading to potential theft.

And, guess what? A smart person on Reddit dug into the code of error.js file with the help of Gemini, and it turns out it is indeed malicious. It collects user data, crypto wallet information (Exodus), system data, and sends it to a remote server.

This is the detailed response from Gemini:

Data Theft:
The script focuses on stealing browsing data from various browsers (Chrome, Brave, Opera, Firefox) and cryptocurrency wallet information (Exodus). It achieves this by:

Identifying browser extension and profile folders.
Searching for specific files within those folders (likely containing browsing history, cookies, etc.).
Extracting the content of those files.
Sending the extracted data to a remote server controlled by the attacker.

Obfuscation:

The script uses various techniques to obfuscate its code and make it harder to understand:

Base-decoding for strings.
Self-referential tricks.
Closures to limit function execution.

Overall, this script is malicious and should not be run. It can steal sensitive information from your computer and send it to an attacker. If you suspect this script might be running on your system, it's crucial to take immediate action.

For the first time in my life I’m happy that the npm install command failed 😅 As I didn't run the code, I don’t think any harm was done. But I’ve definitely learned a lesson: never install code from strangers without inspecting it first (something I admittedly didn’t do well enough this time). As someone on Reddit wisely pointed out, a good practice is to always run unfamiliar code on a virtual machine to protect your system.

Stay safe, and be cautious when dealing with unvetted code!