@cyberamateur @rmceoin @MalasadaTech Here's another question... what is the context around the curl command being copied? I see that Ctrl +C is mentioned, but what is the impetus for the user doing that?

I was thinking maybe a JS clipboard write or writeText method somewhere in the attack chain, but it looks like you may have identified the Ctrl+C somewhere?

@cyberamateur @rmceoin @MalasadaTech

Has anyone followed this on VirusTotal? The HTTP responses documented in VT look like obfuscated code, maybe made to look like legit google developer code?