Threat Intelligence: Uncovering a Web3 Interview Scam

Author: Joker & Ccj
Editor: KrsMt

Background

On August 9, 2025, a community member was asked during the first round of an interview with a self-proclaimed Ukrainian Web3 team to locally clone a GitHub repository. Suspecting potential security issues in the repository’s code, the member recently reached out to the SlowMist security team for assistance.

We promptly analyzed the GitHub open-source project (EvaCodes-Community/UltraX) and confirmed the existence of malicious components. With the member’s consent, we issued a security advisory.

https://x.com/SlowMist_Team/status/1954037572239602113

Analysis

We first visited the project’s GitHub repository: https://github.com/EvaCodes-Community/UltraX. From the recent changes, we noted that the latest version replaced the original redux-ace@1.0.3 dependency with a newly introduced package rtk-logger@1.11.5.

The redux-ace@1.0.3 NPM package had already been removed by the NPM security team for containing malicious code.

The rtk-logger@1.11.5 package was newly published.

When visiting its GitHub repository, we found that the source code had been deleted, raising further suspicion about its legitimacy.

Upon analysis, the malicious code was located in /rtk-logger/lib/utils/smtp-connection.

In index.js, several modules are imported, followed by reading the LICENSE file using fs.readFile. The file’s content is passed to the parseLib() method for parsing, which then returns code that is executed via eval(). The parseLib() method itself is defined in parse.js.

In parse.js, the AES-256-CBC decryption algorithm is used with a hardcoded key and IV to decrypt a given hexadecimal ciphertext (converted into a Buffer) via crypto.createDecipheriv(). The decrypted content is returned as a UTF-8 string.

Decrypting the LICENSE file revealed heavily obfuscated code designed to hinder analysis.

After deobfuscation, we confirmed that rtk-logger@1.11.5 is a malicious NPM package. It contains functionality to collect extension data, cryptocurrency wallet files, and sensitive user data from popular browsers (Chrome, Brave, Opera, Firefox) and upload it to an attacker-controlled server.

In the code snippet below, specific browser paths and cryptocurrency wallet extension IDs are hardcoded.

The following code primarily imports Node.js built-in modules and third-party libraries, and retrieves certain system-related information in preparation for subsequent malicious operations.

• uploadFiles() — Scans and collects configuration files from Chrome, Brave, and Opera, along with sensitive crypto wallet data, then uploads it to the attacker’s server.

• uploadMozilla() — Specifically targets Firefox browser data for exfiltration.

• uploadEs() — Targets sensitive data from the Exodus wallet.

• UpKeychain() — Steals passwords, certificates, and browser-stored login data from Keychain.

• UpUserData() — Extracts highly sensitive browser information, including login credentials and encryption keys.

The Upload() function sends all collected data to 144[.]172[.]112[.]106 without any post-processing.

In addition to harvesting sensitive user data and cryptocurrency wallet information, the malicious NPM package also implements numerous other malicious functions.

• runP() — Checks for the existence of a file named p.zi, renames it to p5.zip, and extracts it. If absent, downloads the payload from 144[.]172[.]112[.]106, saves it as p.zi, renames it to p5.zip, and extracts it.

• Xt() — Behavior varies by OS:

On Windows: if python.exe exists, downloads a Python script from 144[.]172[.]112[.]106 and executes it. Otherwise, calls runP().

On non-Windows systems: directly downloads and executes the Python script via Python3.

• aj — Contains a malicious script to send logs to 172[.]86[.]64[.]67, detect virtualized environments, and report system info. Socket Communication — Installs socket.io-client to connect to 172[.]86[.]64[.]67, listen for “command” messages, execute received commands, and return results. The malicious server can also retrieve the client’s current environment information via the "whour" command.

• ak — Script for additional browser and user data theft.

• al — Script for scanning the filesystem for sensitive files and exfiltrating them.

• am — Implements keylogging, screen capture, and clipboard monitoring, with data sent to the attacker’s server.

Two other GitHub accounts had forked this repository. Analysis of their forks revealed the use of the original redux-ace@1.0.3 malicious NPM package in package.json.

Indicators of Compromise (IoCs)

IPs

• 144[.]172[.]112[.]106
• 172[.]86[.]64[.]67

URLs

• http://144[.]172[.]112[.]106:1224/pdown
• http://144[.]172[.]112[.]106:1224/client/5346/64
• https://api[.]npoint[.]io/96979650f5739bcbaebb
• http://172[.]86[.]64[.]67/api/service/makelog
• http://172[.]86[.]64[.]67/api/service/process/
• http://172[.]86[.]64[.]67:4181
• http://172[.]86[.]64[.]67:4188/upload
• http://172[.]86[.]64[.]67:4186/upload
• http://172[.]86[.]64[.]67:4187/upload

SHA256

• af46c7917f04a9039eb0b439a7615ec07b7ad88048cb24fe23c454c16dffcd57 — rtk-logger-1.11.5.tgz

GitHub Repositories Using rtk-logger@1.11.5

• https://github[.]com/EvaCodes-Community/UltraX

GitHub Repositories Using redux-ace@1.0.3

• https://github[.]com/kylengn/UltraX
• https://github[.]com/taqveemahsan/UltraX
• https://github[.]com/zinping/Pain_project

Malicious NPM Packages

• https://www[.]npmjs[.]com/package/rtk-logger
• https://www[.]npmjs[.]com/package/redux-ace

NPM Package Download Link

• https://registry[.]npmjs[.]org/rtk-logger/-/rtk-logger-1.11.5.tgz

Conclusion

In this incident, the attacker posed as a legitimate open-source project (EvaCodes-Community/UltraX) to trick interviewees into downloading and executing malicious code. Running such a project containing a malicious NPM package without caution could lead to sensitive data leakage and asset theft.

We strongly advise developers and users to remain vigilant when handling unknown GitHub projects. If execution is necessary, it should be done in an isolated environment with no sensitive data.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.