Malware found in node-red project

General
,
1

I found malicious code in my project. It was not in my repository, not even proof It has been active as it errored an update. The prior edit of the project was 18 hours ago (no issues) and I updated portainer 2 days ago. I am still clueless about the source.

The relevant code

code removed by moderator for safety reasons

I blocked the IP address 18.228.3.224:4782 and any advise or analysis is welcome

GTP’s summary:

Tab 1 (z = 84c7fdf3-ae46-4368-a7a2-cfdbd3c2e72c)

  1. Trigger node (kick) → fires once at startup.

  2. Exec node (cpu-count) → tries to determine CPU count and then opens a reverse shell:

    • Uses mkfifo and /bin/sh

    • Connects to 18.228.3.224:4782

    • Pipes input/output to give remote shell access

  3. Function node (storeLast) → saves CPU count to flow context.

  4. HTTP GET endpoint (/health/cpu) → returns CPU count and timestamp via readLasthttp response.

Summary: This tab mixes a legitimate CPU-checking/reporting function with a malicious reverse shell (cpu-count).

Tab 2 (z = 846d1d833fcd3831)

  1. Trigger node → fires once at startup.

  2. Exec node (example flow 001) → immediately runs a Node.js reverse shell:

    • Spawns /bin/sh via Node.js

    • Connects to 18.228.3.224:4782

    • Provides full remote access

Summary: This tab is purely malicious, designed to give the attacker a backdoor.

1 Like
2

The first question will be:

Is your Node-red exposed to the internet directly?

Can external sites access your computer's node-red?

3

No it is not exposed to the internet. Only with VPN I can access it from my phone. But normal use are the devices on the LAN of my home.

PS: Furthermore contrary to what I said earlier (because github seem not to returns searches in old commits or whatever), parts of the code appear in a commit of August 22, while the prior commit was August 20. Portainer was updated 2025-08-21 00:02:42

4

Then possibly a hacked GitHub account. You should check the accounts with access, change passwords and require everyone with access to use 2FA.

There are also GitHub Actions you can turn on that will warn of issues in code and dependencies. Also, plenty of settings in GitHub to control the ability to update code.

1 Like
5

I use Github 2FA, I am the only user. It was in a commit I made from my local node-red instance the wrong code was inserted to.
So a hacked local node-red server I believe (like Portainer) or the browser?
I see no sign to a hacked github account. Also because I push and don’t pull code from the repo.

6

We have most frequently seen reports where Node-red was accessible from the internet (by port-forwarding) and was the point of access into the system.

Whatever happened in your case, you should regard that entire machine as compromised, though no doubt Docker limits their access.

Indeed be suspicious of every machine on the network, including your router.

7

Is it possible before you put it behind a VPN you exposed it to the internet (for test/trial purposes), even if only for a short while?

8

Node-red never has been exposed to internet.
I rather had that as cause, so I knew the issue. Now I have to take into account the PI-server or another LAN-device is hacked too.

At this moment I guess tab 1 was inserted between August 20, 21:09 and August 22, 16:42. I guess tab 2 was inserted maybe while I was editing today. It seems to be a variant of the same code. Maybe I interrupted the editing so it errored on deploy, attracting my attention.
But editing flows.json outside node-red, just editing the file is not very complex. The first tab was added to the end of flows.json, not proofing anything but it gave me the thought of being an option

9

That hints “they” don’t have access to the server, otherwise alternatives for this route (via node-red) to get shell access would be more appropriate.

10

What third party nodes have you installed? You can check in Manage Palette. It is conceivable that one of those is the source.

11

Check if you updated any of your flow dependencies. It is possible that one of your dependencies added a postinstall script that added the changes to your flow.json

1 Like
12

No recent changes. Latest installed dependency - which code I reviewed before installing - is

  • node-red-contrib-sse-client

Two dependencies that have a reverse proxy port, running longer than a year. Both use custom ports, but obscurity is no security! :

  • node-red-contrib-homeconnect
  • node-red-contrib-telegrambot

No custom dependencies, etc.

13

You have to check the whole dependency graph, and not only direct dependencies.

There was an attack in linux a once that was caused by an indirect dependency.

https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know

14

I agree that all dependencies including indirect independencies can be the source. I scanned node_modules to start with. you will not expect me to check the whole linux stack. What can I practically do?
I use very known primary dependencies, so this post was also to view whether more people have the same issue.

15

Buy flowfuse license and delegate security to their team

1 Like
16

:face_blowing_a_kiss: Employee?

17

Nope. I just think that if you don't want to take care of your servers security it is better to pay someone to do that.

18

I take care and I want to take care.

19

Since (I believe) that is an Amazon ip address should this be reported to them?

20

It is certainly a new one on me, and (I think) more sophisticated than the usual attacks we see.

Could this be a targeted attack on your system?

In your situation I think I would disconnect everything from the internet and make sure that I have good offline backups, in case this is an attempt at a ransomeware attack.