PinpinRAT Base64 Stub Embedded in typescript+5.9.2.patch During Fabricated Lua Ventures Interview

The recipient received an email from a fabricated D█████ S████ persona at defunct Lua Ventures claiming advisory interest in Lyrasing and Roadpay. After a call, the attacker supplied a TypeScript repository containing 14 patch-package directories. Manual review and Claude-assisted scan isolated the malicious patch among decoy files targeting electron-benchmarks and unrelated packages. The payload used Buffer.from base64 decode followed by single-byte XOR and new Function execution with require, Buffer, WebAssembly and process primitives.

No postinstall hook existed in root package.json despite patch-package usage, a configuration mismatch that prompted deeper inspection. The attack surface centered on patch-package's ability to rewrite node_modules contents during npm install. Zero detections on VirusTotal indicate the obfuscation bypassed signature-based scanners and common supply-chain heuristics. Similar lures reported by other Rust crates.io maintainers suggest targeted reconnaissance of package authors rather than broad phishing.

Defensive gaps include absence of patch diff monitoring in CI pipelines and lack of runtime integrity checks on TypeScript compiler binaries. The campaign mirrors documented npm supply-chain operations tracked under UNC groups but adds interview pretext and Rust ecosystem focus. Canadian authorities received the full IoC set including the XOR key and Function-wrapped stub.

CISA and CCCS coordination is expected to expand monitoring of crates.io and npm patch workflows. Maintainers should enforce reproducible builds and pre-install diff review within 30 days to close the identified vector.