@V Ssorry, I missed it earlier. Looks like it scans your disk for secrets, private keys etc and sends it somewhere

I also run it :(, could you please write some more what it also scans and sends?

You should assume your whole machine was compromised. Change all passwords, invalidate api keys, create new crypto wallets (new seed phrase) and move assets there

Thank you, API keys are not porblem, also crypto wallets for me, I changed passwords, i'm worrying about OS, I have mac os so do I have ro reinstall it ? I removed files and stopped processes as i could, what else can I do ?

Thanks in advance

Better to do full erase. I did so.

Hi, thanks, I tried, but they didn't respond. Anyway the repo is gone now.

Hi @Mikael Sandberg @Andrew Katsewich , it looks like the repo has just moved https://bitbucket.org/zoro-defi/zoro-ui/src/main/next.config.js 

Thanks for reporting it @Ethan Lourens It has been removed.

Hi

it seems like they moved to https://bitbucket.org/zoro6/zoro-ui

Same scum pattern - 

https://www.linkedin.com/in/leonardo-junior-carrillo-castellano-8892a133a/ used this profile to reach out kinda to hire

Name Leonardo Junior Carrillo Castellano

@Blackening999 Thanks for reporting it.  That repo has been taken down.

He reach out to hire too and here is the repo https://bitbucket.org/crypto-oasis-socifi/socifi-mvp-v1/src/main/

@Mikael Sandberganother one here: https://bitbucket.org/dev_game_2025/game_platform/src/main/

@Mikael SandbergAnother one, from the same linkedin user: https://bitbucket.org/socifi-multi-oasis/socifi-multi-oasis/src/main/

Here's what this guy said to me on Linkedin:

---

Leonardo Junior Carrillo Castellano
1st degree connection · 1st
Product & Sales Manager @ Central Blockchain Council of America ( CBCA ) | Web3 enthusiasts
Monday
Leonardo Junior Carrillo Castellano sent the following messages at 9:41 AM
View Leonardo Junior’s profile Leonardo Junior Carrillo Castellano

Hi
We’re working on a SocialFi and Web3 game platform and believe your experience could really help us out. You’re welcome to join as a technical manager or developer, and you can work part-time or full-time, all remotely.
Let’s chat more about it!
Thank you!
View Leonardo Junior’s profile Leonardo Junior Carrillo Castellano

Hello,

It’s great to connect with you!

We’ve had a long-term partnership with Crypto Oasis, and this project is for one of our investors in the UAE. We’re planning to launch our MVP in about 3–4 months with a budget of $5M.

This is a Web3 platform that includes:
- A decentralized exchange
- Games
- Multi-game community features
- NFTs/Tokens
- Live streaming services

We started this journey last year and created MVP v1, but we had to pause it for over six months due to some miscommunication with our investors. Now, we’re ready to build a new development team to update it from v1 to v2 and move forward with the launch. You can check out the MVP v2 design here:
https://www.figma.com/design/zvYbNR7SIzEFdxrZBcg5Ms/MVP_Crypto_Oasis_V2?node-id=0-1&p=f&t=ie1nBmg20jgJCESM-0

Our expected salary for each role are:
- Frontend (React): $200K/year
- Backend (Node.js, Web3 integration): $300K/year
- Blockchain (Web3 or Smart Contracts): $350K/year
- Technical Manager/PM: $400K/year

Let me know if these rates work for you. If not, feel free to share your expected hourly rates.

I’ve already shared your profile with our CTO , so if you could send me your resume, I’ll pass it along.

Looking forward to your response. Thanks!

---

I got it!

They do not put the malware in the repo anymore to avoid getting banned. They request you to try the project insistently like they were doing with me, and then they ask you to show the console errors and will attempt to "fix" the code with you.

That "fix", will be the malware.

I didn't gave them any chance to try this with me tho.

Edit: Actually the malware was there all along ahah, in  ./socket/index.js, last code line there.

His profile picture on LinkedIn is AI generated.

@fdsf fdsfsdGood catch, thanks for sharing, I received ~3 repos seemingly with no malware, this never happened before, so I guess we have no ground now to report them.

Hello, the malware is still there:
https://bitbucket.org/crypto-oasis-work/socifi-game-v1/src/main/server/routes/api/auth.js

last line number 19 - then scroll a lot to right. You will see code. Just 19 lines but 5.5 KB

it starts with 

const aR=F;(function(aD,aE){const aQ=F,aF=aD();while(!![]){try{

@Mikael Sandberganother one: https://bitbucket.org/oasis-crypto-work/socifi-game-v1/src/main/server/routes/api/auth.js

exactly same issue as @Dw Ralfs pointed out

@kwiscion Please report it to abuse@atlassian.com and they will take action on it.