Possible Malware: SettleMint-Platform1-Core

[boragungoren-portakalteknoloji]

Select Topic Area

Question

Body

This project appears as a clone of previous malware SpreadChain. Please check the repo:

https://github.com/SettleMint-Tech-Hub1001/SettleMint-Platform1-Core

It works as a typical wallet drainer:

• The payload is not inside the code but to be downloaded at runtime.
• The file with the call to the drainer is: https://github.com/SettleMint-Tech-Hub1001/SettleMint-Platform1-Core/blob/main/server/controllers/collection.js
• The particular line is: const ensureWeb = new Function("require", payload);

[MasteraSnackin]

Yeah, this definitely looks sketchy. That pattern you found - downloading a payload at runtime and executing it with new Function("require", payload) - is a huge red flag. Legitimate projects just don't do that, especially anything related to wallets or crypto.

The fact that it's apparently cloned from known malware (SpreadChain) and the malicious code isn't even visible in the repo makes it pretty clear this is designed to avoid detection. Classic wallet drainer behavior.

I'd definitely report this through GitHub's abuse reporting system. When you report it, make sure to:

• Include the repo URL and the specific file path (server/controllers/collection.js)
• Point out the new Function line that executes the downloaded payload
• Mention that it appears to be a clone of known malware

And obviously, don't run this code anywhere near anything with real wallet access. If you've already executed it on a machine that has wallets, you should probably treat that system as compromised - move any assets to fresh wallets on a clean device.

GitHub's security team should be able to take a closer look and remove it if it violates their policies.

[samuelsitio26]

Based on the information shared and a quick review of the repository, the behavior described does raise serious security concerns.

Using dynamically downloaded code that is executed at runtime via new Function("require", payload) is a well-known red flag, especially in projects that interact with wallets or crypto assets. This pattern allows arbitrary code execution while keeping the actual malicious logic outside of the repository, which is commonly used to evade static analysis and manual review.

The fact that the repository is reported to be similar to known malware such as SpreadChain further strengthens the suspicion. Legitimate projects generally avoid runtime payload execution from remote sources, and they are transparent about all executable logic within the codebase.

At this point, the safest course of action is:

Do not run the code outside of a fully isolated sandbox.

Report the repository through GitHub’s abuse or security reporting channels with clear technical details (repo URL, file path, and the specific execution line).

Allow GitHub’s security team to investigate and determine whether it violates platform policies.

Thanks for flagging this — identifying and reporting potentially malicious repositories helps keep the ecosystem safer for everyone.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[Tectract]

deletionist github auto-deleting reports of malware on their platform is what I see here