Dear developers, please stop obfuscating your code.

Dear developers, please stop obfuscating your code.

I do a lot of open-source dependency threat hunting, and recently I've been seeing something that is both incredibly annoying and useless.

Obfuscation.

Now, I get it. Writing a cool piece of software takes a considerable amount of time and effort (or atleast used to) and it was never a nice feeling to have your project cloned, rebranded and redistributed by somebody else.

But times have changed. The cost to write code is the lowest it's ever been, and the time and complexity of deobfuscation some Javascript or Python has fallen off a cliff too.

Despite this, every day I see countless perfectly legitimate and benign projects exhibit the same signatures and behaviours as some of the most prominent supply-chain malware campaigns we have seen in the previous year. And I can't help but ask myself why, and maybe if there's not a better solution.

This is a sample from the recent moika[.]tech package dependency campaign, which you can read about here.

Well actually, it's not. This in-fact is a completely benign package containing the glue types and path constants for a test-runner-plus-viewer toolchain.

Which begs the question, why on earth does it look like that. For comparison, here is what an actual obfuscated malware looks like.

It's the same, and yet one will steal all of your secrets, tokens and install a RAT on your machine, the other at a glance allows you to run a test library.

Now we can take many different approaches to de-obfuscation when we find code like. Scripts, online tools, and AI.

It's not particularly difficult, and in the end you end up with something that will resemble the original code. With AI you can even try to guess what the intent of the code was, and add back in potential function and variable names.

But what this does cost is time and tokens. Effort.

So why bother?

As I mentioned earlier I think it's a combination of wanted to protect effort and an idea. I made this, it took me time, I want to let others use it, but I want it to be mine.

The cost to obfuscate is also zero. There are countless free tools, it can be automated in CI/CD for package release and in any large project with many dependencies, some performance penalty from the testing suite is probably going to go completely unnoticed.

It's almost a no brainer.

For defenders, threat-hunters or the package-manager-curious the maths changes dramatically.

A sample like the one above triggers all the rules, it can't be ignored at a glance and diverts huge amounts of time from detecting, investigating and responding to actual malware affecting real people on the supply chain.

So, if you want to protect your ideas, your important code. Be it your moat or your business logic, what should you do?

May I suggest a radical new idea I like to call, a backend.

You don't even need a dedicated server. Serverless, or even docker container hosts will do the trick. There are plenty of deployment and hardening guide out on the internet. Claude will even do it for you if you dare give it SSH access.

This way, you can protect your valuable logic from prying eyes, collect user analytics & usage patterns while you're there and even learn a whole new skillset.

Also you can ship slimmer libraries to your users and the supply chain.

It's a win-win for everyone. And for me, and everyone else who does threat-hunting it will save precious time for finding the real bad stuff that's out there.

Give it a try.

If you enjoy deeper more technical posts into malware analysis, be sure to check out my other posts on research.veryserious.systems

As always thanks for reading, and be sure to leave a comment if you have any thoughts about this.