{"id":50375360,"url":"https://github.com/wuwatracker/remote-script-swap-demo","last_synced_at":"2026-05-30T09:03:11.510Z","repository":{"id":341972411,"uuid":"1172226005","full_name":"wuwatracker/remote-script-swap-demo","owner":"wuwatracker","description":"Security demo showing how a trusted remote PowerShell script can be silently swapped when served from a mutable source. The import tutorial at wuwatracker.com does NOT do this and uses hashed URLs instead to prevent this attack.","archived":false,"fork":false,"pushed_at":"2026-03-04T08:38:19.000Z","size":88,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-04T11:10:03.590Z","etag":null,"topics":["arknights-endfield","duet-night-abyss","exploit","genshin-impact","honkai-star-rail","malware","poc","script","security","supply-chain-attack","vulnerability","web-security","wuthering-waves","zenless-zone-zero"],"latest_commit_sha":null,"homepage":"https://remote-script-swap-demo.wuwatracker.workers.dev/import.ps1","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wuwatracker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-04T04:21:23.000Z","updated_at":"2026-03-04T08:38:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/wuwatracker/remote-script-swap-demo","commit_stats":null,"previous_names":["wuwatracker/remote-script-swap-demo"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/wuwatracker/remote-script-swap-demo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wuwatracker%2Fremote-script-swap-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wuwatracker%2Fremote-script-swap-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wuwatracker%2Fremote-script-swap-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wuwatracker%2Fremote-script-swap-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wuwatracker","download_url":"https://codeload.github.com/wuwatracker/remote-script-swap-demo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wuwatracker%2Fremote-script-swap-demo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33686020,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arknights-endfield","duet-night-abyss","exploit","genshin-impact","honkai-star-rail","malware","poc","script","security","supply-chain-attack","vulnerability","web-security","wuthering-waves","zenless-zone-zero"],"created_at":"2026-05-30T09:03:09.562Z","updated_at":"2026-05-30T09:03:11.505Z","avatar_url":"https://github.com/wuwatracker.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Remote Script Swap Demo\n\nThis repository demonstrates a remote script swapping vulnerability in web applications, using a coin flip to randomly serve either a safe or a malicious PowerShell script from two different URLs.\n\nThis example shows how attackers could exploit mutable URLs in production environments.\n\n\u003e [!CAUTION]\n\u003e The purpose of this demo is educational only. The repository does not contain any harmful code, but it illustrates how a script URL can be swapped and how it can pose a risk.\n\u003e WuWa Tracker does NOT perform, endorse, or encourage any malicious activities. Always use this knowledge responsibly and ethically.\n\n\u003e [!TIP]\n\u003e The [wuwatracker.com](https://wuwatracker.com) website uses hashed URLs to serve scripts, which is a best practice to prevent this type of vulnerability.\n\n## Table of Contents\n\n- [Overview](#overview)\n- [Demo](#demo)\n- [How it Works](#how-it-works)\n- [Setting up the Demo](#setting-up-the-demo)\n- [Running the App](#running-the-app)\n- [Demo Execution](#demo-execution)\n- [Security Implications](#security-implications)\n- [Mitigation](#mitigation)\n- [License](#license)\n\n## Overview\n\nIn this demo, a simple Hono-based server serves a PowerShell script from a mutable URL. Depending on a random coin flip, it redirects the user to one of the following URLs:\n\n- Safe Script URL: A script that performs harmless log file reading (this script will be safe).\n- Malicious Script URL: A script that could theoretically be replaced with a malicious one (this script demonstrates the risk).\n\nThe demo aims to raise awareness of remote script swapping vulnerabilities, where attackers can change the contents of a trusted URL without the user's knowledge.\n\n## Demo\n\nRun this a couple times to get either the safe or malicious script. The server will do a 50/50 coin flip to determine which script to serve.\n\n```ps1\niwr https://remote-script-swap-demo.wuwatracker.workers.dev/import.ps1 | iex\n```\n\n\u003e [!NOTE]\n\u003e This does not actually do anything other than show text. It's just for demonstration purposes.\n\nIn reality, malicious actors wouldn't just use a 50/50 coin flip to determine when to serve the scripts and what kind of scripts to serve. It can be arbitrary like serving the malicious script only to specific users, at specific times, or under specific conditions.\n\n## How it Works\n\nThe application uses the `Hono` web framework to set up an HTTP server. When a user visits the `/import.ps1` endpoint, a coin flip determines whether they are redirected to the safe or malicious script URL.\n\n- If the coin flip is \"Heads\", users are redirected to the safe PowerShell script (`SAFE_SCRIPT_URL`).\n- If the coin flip is \"Tails\", users are redirected to the malicious PowerShell script (`MALICIOUS_SCRIPT_URL`).\n\nThe URLs for both scripts are configured in environment variables.\n\n### Code Snippet\n\n```typescript\nimport { Hono } from \"hono\";\nimport { CfBindings } from \"./types\";\n\nconst app = new Hono\u003c{ Bindings: CfBindings }\u003e();\n\nfunction flipACoin() {\n  return Math.random() \u003c 0.5 ? \"Heads\" : \"Tails\";\n}\n\napp.get(\"/import.ps1\", (c) =\u003e {\n  const coinflipResult = flipACoin();\n\n  if (coinflipResult === \"Heads\") {\n    return c.redirect(c.env.SAFE_SCRIPT_URL);\n  } else {\n    return c.redirect(c.env.MALICIOUS_SCRIPT_URL);\n  }\n});\n\nexport default app;\n```\n\n## Setting up the Demo\n\n### Prerequisites\n\n- Node.js (\u003e=v24.0)\n\n### Installation\n\n1. Clone this repository:\n\n   ```bash\n   git clone https://github.com/wuwatracker/remote-script-swap-demo.git\n   cd remote-script-swap-demo\n   ```\n\n2. Install dependencies:\n\n   ```bash\n   pnpm install\n   ```\n\n3. Configure the environment variables with the URLs for your safe and malicious scripts.\n\n   Add the following to your `.env` file (or configure them in your cloud service):\n\n   ```bash\n   SAFE_SCRIPT_URL=https://raw.githubusercontent.com/wuwatracker/remote-script-swap-demo/refs/heads/main/scripts/safe.ps1\n   MALICIOUS_SCRIPT_URL=https://raw.githubusercontent.com/wuwatracker/remote-script-swap-demo/refs/heads/main/scripts/malicious.ps1\n   ```\n\n## Running the App\n\nYou can run the app locally or deploy it using Cloudflare Workers or any other platform that supports the Hono framework.\n\n### Running Locally\n\nTo run the app locally:\n\n1. Install the necessary local server tools.\n2. Run the application:\n\n   ```bash\n   pnpm run dev\n   ```\n\nThis will start the app on `http://localhost:8787`. Visiting `http://localhost:8787/import.ps1` will randomly redirect to either the safe or malicious script.\n\n## Demo Execution\n\nWhen you access the `/import.ps1` endpoint, the application will execute the coin flip function and randomly redirect to either:\n\n1. The safe script URL (`SAFE_SCRIPT_URL`) that performs harmless actions like reading log files.\n2. The malicious script URL (`MALICIOUS_SCRIPT_URL`), which could be swapped out by an attacker, leading to malicious behavior.\n\n## Security Implications\n\nThis demo highlights a security vulnerability in mutable URLs, where attackers could swap the script without the user's knowledge.\n\nThe impact of such an attack might include:\n\n- Data theft\n- Privilege escalation\n- System compromise\n- Undetected malicious actions\n\nThis vulnerability arises when scripts are served from mutable, non-immutable URLs (e.g., using GitHub branches or other unversioned URLs).\n\n## Mitigation\n\nHere are some best practices to avoid remote script swapping vulnerabilities:\n\n1. Pin Script URLs to Specific Versions:\n   Use commit hashes in URLs to ensure the script is immutable.\n\n   For example:\n\n   ```bash\n   https://raw.githubusercontent.com/user/repo/\u003ccommit-hash\u003e/import.ps1\n   ```\n\n   - A `\u003ccommit-hash\u003e` may look like `a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0`.\n\n2. Checksum Validation:\n   Verify the integrity of the script by comparing the checksum of the downloaded file against a trusted value.\n\n3. Signed Releases:\n   Use signed releases to verify the authenticity of scripts before execution.\n\n4. Use a Secure Source for Scripts:\n   Avoid hosting critical scripts on mutable URLs. Instead, use a trusted and secure repository for critical scripts.\n\n\u003e [!TIP]\n\u003e The [wuwatracker.com](https://wuwatracker.com) website uses hashed URLs to prevent remote script swapping vulnerabilities. At the end of the day, you should always audit the script the URLs you run on your system.\n\n## License\n\nThis project is licensed under the MIT License. See the [LICENSE](LICENSE) file for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwuwatracker%2Fremote-script-swap-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwuwatracker%2Fremote-script-swap-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwuwatracker%2Fremote-script-swap-demo/lists"}