lazarusholic

2026-06-11, SafeDep
https://safedep.io/astro-config-blockchain-c2-supply-chain
#PolinRider

Pull request #206 against Egonex-AI/Understand-Anything (an open source code-to-knowledge-graph tool with 57,000+ GitHub stars) carries a build-time payload hidden in homepage/astro.config.mjs. Every invocation of astro build, astro dev, or astro preview from the affected branch runs the file as a Node.js module, and an obfuscated IIFE at the end fires automatically. The payload beacons one of three hardcoded C2 servers, exfiltrates a campaign marker, XOR-decrypts and evaluates a downloaded bot client, then independently resolves a second-stage command from a Tron blockchain address whose latest transaction encodes a BSC transaction hash carrying the active payload. Because the command relay uses only public blockchain RPC nodes, blocking the C2 IPs does not stop the second stage.
The deceptive PR
The PR title reads fix(dashboard): filter Path Finder "To" dropdown to reachable nodes (#188). The description documents a BFS reachability fix, a shared useMemo adjacency map, a useEffect for clearing stale targets, and a test …

http://166.88.54.158
http://23.27.202.27
http://23.27.202.27:27017
https://api.trongrid.io/v1/accounts/
https://fullnode.mainnet.aptoslabs.com/v1/accounts/
http://198.105.127.210
23.27.202.27
198.105.127.210
166.88.54.158
131.0.0.0
be037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e
80a1148ee589125bc1e57d36abac9f08089b2990d9372be3a33a1f057ad1ef89
a896af4f2876df59af1e705fb75031630ebd37fa89659a9896be4d3da8c87f02