A developer named Ratik Krishna reached out to me recently to review his "secure" password manager for developers, Lock-N-Key. It claimed to be "Zero Trace," "Ironclad," and "Offline-only".
The Bait-and-Switch
He establishment trust by providing a GitHub repository written in Flutter/Dart. However, the executable file distributed on the website was NOT built from that source code.
The Forensic Findings (Kali Linux Analysis)
After running a static analysis on the .exe file, the truth came out:
Binary Mismatch: The code on GitHub is Flutter, but the actual binary is compiled in Delphi/Borland.
Malicious Signatures: Found hardcoded strings for Trojan Stealers like sccPasswordTest and imports for WinInet (for exfiltrating data).
Panic Update: Once confronted, the developer frantically pushed a "Version 2" update to GitHub to try and cover his tracks.
Evidence & Archives
I have preserved all forensic evidence to prevent this campaign from targeting more developers:
The Fake Landing Page: https://web.archive.org/web/20260201142942/https://lock-n-key.netlify.app/
The Malicious Executable (Direct Archive): https://web.archive.org/web/20260201142956/https://lock-n-key.netlify.app/downloads/lock_n_key_setup.exe
The Decoy GitHub Repository: https://web.archive.org/web/20260201143634/https://github.com/rtk007/Lock_N-_Key
The Panic Commit History (Evidence of Cover-up): https://web.archive.org/web/20260201144226/https://github.com/rtk007/Lock_N-_Key/commits/main
The Lesson
Open source doesn't always mean safe. If an installer asks you to "Run Anyway" while bypassing Windows Defender, it's a trap.
Watch the full technical breakdown here: https://youtu.be/wZHwxNvt_KI
Top comments (0)