← Back to context

Comment by TZubiri

12 hours ago

It looks like this is legit, but the script is very phishy and I wouldn't run it in unvirtualized or disposable systems.

https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/m...

>zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))

This is not source code, this is binary, it's entirely possible that this contains a script that downloads another malicious script (or that simply contains the malicious commands)

That said, I understand why a terser script might have been prioritized.

EDIT: There's a couple of C ports in the comments that contain more details and no compressed payloads.

1 comment

TZubiri

Reply
q3k  12 hours ago

> This is not source code, this is binary, it's entirely possible that this contains a script that downloads another malicious script (or that simply contains the malicious commands)

It doesn't, it's just a compressed ELF file that does setuid(0); execve(/bin/sh, 0, 0). You can just unzlib it and throw it in a disassembler.