https://peter-notes.com/categories/%E8%B3%87%E8%A8%8A%E5%AE%89%E5%85%A8/Recent content in 資訊安全 on Peter.H's Full-Stack GAMEhttps://peter-notes.com/images/og-image.jpghttps://peter-notes.com/images/og-image.jpgHugozh-twThu, 04 Jun 2026 00:00:00 +0000https://peter-notes.com/posts/steganographic-nodejs-backdoor-in-svg/Thu, 04 Jun 2026 00:00:00 +0000https://peter-notes.com/posts/steganographic-nodejs-backdoor-in-svg/一個接案邀請附帶的 GitHub repo，程式碼乾淨得 grep 不到任何問題，卻在伺服器啟動時 eval 一段藏在國旗 SVG 註解裡的 base64 payload。本文完整拆解這套隱寫術載入器、底下掛載的剪貼簿挾持／錢包竊取／檔案外洩／socket.io RAT 四個模組，以及字串混淆、VM 偵測等規避手法。