Table of Contents
Challenge Description
Hello agent 73 You have a new mission. We have a victim to some kind of attacks, but we aren’t sure about the full impact until now. This is the message we received from the victim:
“Hi, I’m a beginner nodeJS backend developer. I was practicing my skills on developing a random project. After I finished my work I didn’t find my work (seems to be deleted) and found this strange image (attached below), am i really hacked ?!!”
You only have this image, Agent 73. Do your job.
Author: 0xk4k45h1, Mushroom
The attached image was this ![[Pasted image 20260503122728.png]](/_astro/Pasted_image_20260503122728.B0zYVYzv_11nGzm.webp)
Finding the Attacker
I have a habit when solving CTFs, if the challenge is in the form of a story I like to first check the author’s username on Google ![[Pasted image 20260503122957.png]](/_astro/Pasted_image_20260503122957.6sz6qvjI_2uk21y.webp)
Good, the first author’s username is linked to yousslfseliem@instapoo which is present in the attached image, meaning he is the one intended in the challenge. The first link on Google is
https://youssifseliem.github.io/
![[Pasted image 20260503123327.png]](/_astro/Pasted_image_20260503123327.CISMsXEK_ZFH9UI.webp)
OSINT Across Platforms
GitHub
Let’s start with GitHub ![[Pasted image 20260503123454.png]](/_astro/Pasted_image_20260503123454.wfaGNQJ4_Zhrrb7.webp)
This way I confirmed I’m on the right track.
Discord & X
There’s nothing on Discord or X
Let’s check Reddit — look who’s there?!! The authors are discussing — I’ve now ruined the challenge idea ![[Pasted image 20260503123739.png]](/_astro/Pasted_image_20260503123739.CjtHKzzP_15tJmt.webp)
Following the Blog
Let’s check “Check his blog” and “Stylish boss challenge” ![[Pasted image 20260503124219.png]] Luckily for me and unluckily for the authors, I was present in the CTF that had the challenge and solved it. The main idea is that a malicious package author is the one who did it.
![[Pasted image 20260503124309.png]](/_astro/Pasted_image_20260503124309.B2jQu4CD_rzPp8.webp)
![[Pasted image 20260503124507.png]](/_astro/Pasted_image_20260503124507.BP4qRZII_1g7zFW.webp)
The Malicious npm Package
Let’s check the author’s account on npmjs.com ![[Pasted image 20260503130302.png]](/_astro/Pasted_image_20260503130302.BJHjQjuN_OEN8i.webp)
There’s a package that was just created two days ago, it has two versions, each version consists of these files
/lib-.?.themeindex.jspackage.jsonAnalyzing the Package Structure
after checking the image of the second version (latest) it was the image attached in the challenge
Recovering the Flag
after checking the image of the first version , it was the correct flag , and this is the flag after decoding from cyberchef ![[Pasted image 20260503130830.png]](/_astro/Pasted_image_20260503130830.Cl2RNYjH_Z1JAOdo.webp)
Some information may be outdated