Read in this blogpost more about it: https://rxj.dev/npmjs-supply-chain-attack-demistified
- DO NOT RUN THIS CODE ON YOUR MACHINE.
- The code in this repository is what attackers executed on my machine.
- I'm not a security research and used Claude to "demistify" the content in
malicious.json. The end result is stored inbrowser-hack.jsonandsystem-hack.js. Since I've used an LLM to demistify the code it probably is a) not functioning (I did not test this - please forgive me) and b) it probably interpreted a few things incorrectly. My initial goal was to understand what the hackers where after - I believe that goals has been achieved.