DEV Community: Alvaro Paçó

Crypto Project Hidden Trojan

Alvaro Paçó — Tue, 22 Apr 2025 15:25:38 +0000

Running a piece of code should feel safe—but what if that code hides a secret backdoor? Recently, we audited a JavaScript/TypeScript Node.js codebase and uncovered a cleverly disguised trojan. Here’s a plain‑language breakdown of what we found and how you can protect your own projects.

1. How We got Suspicious

We spotted odd dependencies in the package.json file: tiny, pointless packages like execp, winson, and even fake core modules named fs, http, and path. Attackers often use these “typosquat” modules to slip malware into your project.
A particular file stood out: routes/web.js contained unreadable, obfuscated code—an immediate red flag.

2. Key Findings Explained

Obfuscated Code = Hidden Intent

Inside routes/web.js, most strings and module names were scrambled with Base64 and hexadecimal. Only at runtime does the code decode itself to reveal real instructions. This is like hiding a secret message in invisible ink.

Stealthy System Inspection

Once decoded, the script quietly gathers:

Your operating system details
Your username and home-folder path With this information, attackers can fingerprint your machine and decide whether it’s worth compromising further.

Contacting a Remote Server

The backdoor builds a hidden URL (e.g., http://<attacker-ip>:1244) and sends out system info. It then waits for instructions—classic Command‑and‑Control behavior.

Download & Execute

Based on those instructions, it downloads a secondary payload to your disk and executes it via child_process.exec. This is how it can install additional malware, steal files, or take over your computer—completely behind your back.

3. Why This Matters

No user prompt: Simply launching the app triggers the backdoor.
Full access: It runs with the same permissions as your Node process, so it can read/write any file you could.
Credential theft risk: If you store API keys, database credentials, or crypto wallets in your project, a backdoor like this can steal them in seconds.

4. Protecting Your Projects

Vet your dependencies.
- Avoid obscure or typo‑squat packages.
- Use tools like npm audit or third‑party scanners to flag low‑quality or newly published modules.
Read new code carefully.
- Be wary of any file with heavy obfuscation or unusual import patterns.
- Search for dynamic require() calls or hidden Base64 strings.
Lock down your environment.
- Run new or untrusted code in isolated containers or VMs.
- Never run random test projects on your main development machine.
Monitor network activity.
- Use a process monitor or firewall rules to catch unexpected outbound requests.

5. Final Thoughts

Malicious code is growing more sophisticated—and it often arrives disguised as a “helpful” project or test assignment. By staying vigilant, validating every dependency, and isolating untrusted code, you can keep your development environment—and your secrets—safe.

Introducing HTTP/3: The Future of Internet Protocols

Alvaro Paçó — Mon, 08 May 2023 16:48:19 +0000

The internet has come a long way since the early days of dial-up connections and slow-loading web pages. Today, we take for granted the lightning-fast speeds and seamless connectivity that allow us to browse, stream, and communicate in real-time. However, as technology evolves, so too must the underlying protocols that power our online experiences. That's where HTTP/3 comes in.

HTTP/3 is the latest iteration of the Hypertext Transfer Protocol, the foundation of the World Wide Web. Developed by the Internet Engineering Task Force (IETF), HTTP/3 represents a significant departure from its predecessor, HTTP/2, by replacing the Transmission Control Protocol (TCP) with a new transport protocol called Quick UDP Internet Connections, or QUIC.

QUIC is a variation of the User Datagram Protocol (UDP) that offers several key advantages over TCP. For one, it incorporates Transport Layer Security (TLS) 1.3 by default, which provides built-in encryption and improves connection establishment time by eliminating the need for a separate TLS handshake. This reduces latency and enhances security, which is especially important in today's world of ubiquitous data breaches and cyberattacks.

Another major benefit of QUIC is its ability to handle packet loss at the individual stream level, rather than blocking the entire connection like TCP. This reduces head-of-line blocking, which occurs when packets are delayed or lost, leading to slower data transfer and increased latency. With QUIC, a lost packet on one stream does not affect other streams, resulting in faster and more reliable connections.

QUIC also supports connection migration, which means that clients can change IP addresses without losing connectivity or incurring additional latency. This is particularly useful for mobile and cellular networks, where connections can be spotty and unstable.

Perhaps most impressive of all, QUIC enables 0-RTT (zero round trip time) connection establishment in certain situations. This means that if you're connecting to a server that you've visited before, your browser can establish a connection without any delay, resulting in significantly reduced latency and faster page loads.

Of course, all of these benefits are only possible if HTTP/3 and QUIC are widely adopted by browsers and internet providers. Unfortunately, this is easier said than done. Many large networks do not support UDP at all, and implementing a new protocol on top of UDP can be challenging. There are also compatibility issues to consider, as older hardware and software may not be able to handle the new protocol.

Despite these challenges, HTTP/3 and QUIC represent an exciting step forward for internet protocols. By incorporating the latest encryption, congestion control, and connection management technologies, they offer the potential for faster, more secure, and more reliable online experiences. As more and more providers and networks adopt these new standards, we can look forward to a faster, safer, and more connected future for the internet.

Protect your patrimony with Btc. Avoid gold!

Alvaro Paçó — Wed, 03 May 2023 14:17:11 +0000

While I appreciate the numerous advantages that cryptocurrency offers, I am hesitant to fully embrace the idea that protecting one's patrimony with BTC is superior to using gold. There are several factors to consider when it comes to choosing a reliable asset for wealth preservation.

First and foremost, gold has been known for its value and durability for thousands of years. It has stood the test of time and proved to be a reliable store of value in times of economic turbulence. On the contrary, the history of Bitcoin and other cryptocurrencies is relatively short, and it remains to be seen how well they will hold up over the long term.

Second, gold is a tangible asset that you can physically hold and possess. While BTC is a digital currency, it relies on complex technology that is highly vulnerable to hacking, loss, and theft. While innovative solutions have been proposed to address these issues, the risk remains significant.

Lastly, gold is widely accepted and recognized as a form of currency across the world. While the adoption of BTC is increasing, it still faces significant resistance and regulatory complexities in many countries.

In the past, governments have confiscated gold holdings from their citizens to address economic crises or fund wars. For example, in the United States in 1933, President Roosevelt signed Executive Order 6102, which required citizens to turn in their gold holdings to the government in exchange for paper money.

While it is unlikely that a similar situation will happen again, it is not impossible. Governments have the power to seize assets in the name of national security, and gold holdings may be a target if the government deems it necessary.

On the other hand, Bitcoin is a decentralized digital currency that is not subject to government control. Bitcoin operates on a decentralized network, which means that it is not controlled by a central authority like a government or bank. The transactions are recorded on a public ledger called the blockchain, and each transaction is verified by a network of computers called nodes.

Bitcoin is designed to be a deflationary currency, meaning that there is a limited supply of coins. Unlike gold, which can be mined indefinitely, Bitcoin has a maximum supply of 21 million coins, which is expected to be reached in the year 2140. This limited supply makes Bitcoin a scarce asset, which can increase its value over time.

In addition to its scarcity, Bitcoin offers other advantages over physical gold. It is easy to transport and store, as it can be stored on a hardware wallet or even in your memory. It is also easy to divide and use for small transactions, which makes it a more practical currency for daily use than gold.

In conclusion, while the possibility of government confiscation of physical gold holdings may be remote, it is not impossible. Bitcoin, on the other hand, offers many advantages over gold as a financial reserve, including its decentralized nature, scarcity, ease of transport and storage, and practicality for daily use. As always, it's important to conduct your own research and make an informed decision before making any financial investments.