This repository contains NO working malware. It is a defanged test fixture: it structurally imitates the Contagious Interview / BeaverTail lure (a fake-recruiter "coding assignment" that targets developers) so that the kotiq-guard repo scanner can be demonstrated against a known-bad shape — exactly like the EICAR test file for antivirus engines.
It is intentionally public so the scanner (and reviewers) can read it. It is not a copy of any real victim's project, and it does nothing.
- The dangerous code never runs. Every malicious-looking function is guarded behind a
condition that is never true (e.g.
process.env.KOTIQ_FIXTURE_NEVER_SET === 'arm'), so it is dead code. Running any file just prints one line and exits. - Every network host is
*.example.invalid—.invalidis an RFC 6761 reserved TLD that can never resolve, so nothing can be fetched, contacted, or exfiltrated even if the code did run. - No real URLs, hosts, hashes, wallet addresses, or victim data appear anywhere.
Please don't "fix" the guards, don't publish this to npm, and don't reuse the shape as a template. It exists only to be detected.
Real lures hide their command-and-control (C2) address so it doesn't show up as a plain URL during a quick code skim. The classic trick: store the host as a base64 string, then decode it at runtime into a variable. This fixture reproduces that trick safely.
In .env:
API_CONFIG=aHR0cHM6Ly9jMi5leGFtcGxlLmludmFsaWQvY29sbGVjdA==
That string isn't random — it's base64. Decode it (atob, Buffer.from(x,'base64'),
or base64 -d) and you get a URL:
aHR0cHM6Ly9jMi5leGFtcGxlLmludmFsaWQvY29sbGVjdA==
│ base64 decode
▼
https://c2.example.invalid/collect ← never resolves (test TLD)
In a real sample this would decode to a live attacker host — we deliberately use a
non-resolving *.invalid address instead. kotiq-guard's job is to notice that an .env
value is a base64-encoded remote URL and surface it as C2 obfuscation, instead of a
developer having to spot and decode it by hand.
| File | Pattern | Why it matters |
|---|---|---|
.vscode/tasks.json |
runOptions.runOn: "folderOpen" + a curl … | sh string |
Auto-executes on opening the folder — no npm install needed. This is how the lure self-detonates. |
.vscode/settings.json |
workspace-trust disabled + auto-run tasks + terminal profile override | Removes the run-on-open guard and redirects the integrated terminal to a controlled shell. |
.env |
base64-encoded remote URL | C2 obfuscation — a hidden host decoded at runtime (see section above). |
package.json |
postinstall → local script |
Hook runs on npm install; the command looks benign, the file is the payload. |
scripts/postinstall.js |
base64 host, eval(), fetch(...) |
Obfuscated first stage (BeaverTail shape). |
src/loader.js |
wallet paths (Solana/MetaMask/Phantom), curl … | sh |
Second-stage crypto-stealer strings. |
.idea/runConfigurations/ |
auto run config | JetBrains equivalent of the folderOpen trick. |
This is the same family of threat that has hit real developers through fake recruiter "take-home" assignments. kotiq-guard's job: surface all of the above before you open or install anything — in a sandbox, never on your main machine.