When Git History Lies: Commit-Date Spoofing as Malware Cover
Contents
Four public GitHub repositories show a shared obfuscated stage-0 JavaScript loader appended to executable config files, aligning with publicly documented XCTDH / DEV#POPPER infrastructure and tactics.
Malware Analysis
Threat Intel
When Git History Lies cover image
Executive summary
This research article documents four public GitHub repositories that contain an appended, obfuscated JavaScript loader embedded in framework or build-tool configuration files. In all four cases, the malicious code is appended after an otherwise legitimate configuration export, allowing the file to remain visually plausible while still executing arbitrary code when the associated tooling loads the config.
Across the four samples, direct inspection shows the same stage-0 scaffold:
a visible version tag in the form global['_V']='...'
global['r']=require
a custom deobfuscation function named MDy
a large scrambled string blob
an immediately invoked function expression (IIFE)
the same general stage-0 execution structure, with only the _V tag changing between samples
Public reporting by Ransom-ISAC describes the same stage-0 loader family as Cross-Chain TxDataHiding (XCTDH) and says it retrieves …
Malware Analysis
Threat Intel
When Git History Lies cover image
Executive summary
This research article documents four public GitHub repositories that contain an appended, obfuscated JavaScript loader embedded in framework or build-tool configuration files. In all four cases, the malicious code is appended after an otherwise legitimate configuration export, allowing the file to remain visually plausible while still executing arbitrary code when the associated tooling loads the config.
Across the four samples, direct inspection shows the same stage-0 scaffold:
a visible version tag in the form global['_V']='...'
global['r']=require
a custom deobfuscation function named MDy
a large scrambled string blob
an immediately invoked function expression (IIFE)
the same general stage-0 execution structure, with only the _V tag changing between samples
Public reporting by Ransom-ISAC describes the same stage-0 loader family as Cross-Chain TxDataHiding (XCTDH) and says it retrieves …