A Rust developer uncovered a sophisticated supply‑chain attack targeting crates.io packages. The bait arrived as a fake interview request from a fabricated Singapore VC, leading the author to clone a TypeScript repository named “Ticket Harbor.” Inside, a hidden patch injected a self‑executing stub into TypeScript’s compiler files, delivering a remote‑access trojan later dubbed Pinpin RAT, highlighting the risk to open‑source supply chains.

The malicious payload resides in a base64 blob decoded and XOR‑encrypted with key 73, then executed via a new Function call. It spawns a detached Node process that reads additional code from an appended PNG file and runs a WebAssembly stub, ultimately contacting a command‑and‑control server at 89.124.107. The dropper cleans its traces using git skip‑worktree and self‑deleting temporary directories.

Analysis was accelerated with Claude, which peeled back three layers of obfuscation in minutes and produced an IoC detection script. The RAT harvests system fingerprints, environment variables, and arbitrary files, and supports commands for file upload, download, process spawning, and DNS tunneling. Victims should isolate infected machines, rotate credentials, and apply the provided signatures to stop further compromise.