A backdoor in a LinkedIn job offer

> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”

> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.

> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.

> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.

Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.

The difference between pre- and post-chatbot writeups is stark: https://igor-blue.github.io/2021/03/24/apt1.html

$100 says OP is Claude

> I’ve heard of these attacks and read about them on HN

And, I am reading this on HN right now. What a coincidence!

I read a lot about social engineering and how the human being is considered the weakest layer in the security chain but this is the first time I've came across this pattern. Eye opening indeed.

So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.

This type of attack has been happening a lot the past 2 years. I've seen one that was very well done...the GitHub account of a fairly well known security researcher had been compromised...their identity and code was being used as part of the recruitement. I reached out to the person...who was understandably embarrassed and told me they had reported this to LinkedIn + Github but saw no action.

This is the part that really irks me: LinkedIn and Github know this is the end goal of many of the rampant supply chain attacks but they a) don't have a first class mechanism for reporting b) don't seem to be improving their systems or even warning people. I have been hit be this enough times that I follow along to get screenshots of the scammer. One might think with all the surveillance systems Microsoft/LinkedIn/Github/Google-Meet/Calendly have in place that a potential victim reporting it along with an actual picture of the scammer could get us somewhere.

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Oh, Microsoft.

This is uncomfortably close to a normal interview task now.

Someone sends you a repo, says the install is broken, and asks you to take a look.

A lot of developers would run rpm install before thinking twice, especially if they were tired or looking for work.

They seem to using the same domain for multiple targets: reddit thread from 3 months ago:

https://www.reddit.com/r/openclaw/comments/1rlet0h/someone_t...

Been through this 3 times in the last 6 months. They're getting better. Very credible LI profiles, code looks OK if you only take a glance... The bell start ringing when they insist you to run locally their sh*t

I work in crypto and this is happening practically every other day. I refuse anyone on LinkedIn that I don't know personally and has web3 or crypto anywhere in the description. It's all fake accounts with fake job offers. It's a pretty known scam.

Why is npm still not blocked by every OS on earth is beyond me. These guys will never learn.

Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.

Remember to use protection when meeting random people, and putting their junk deep inside your computer!

I had a similar experience, just by email.

https://blog.denv.it/posts/i-was-likely-targeted-by-dprk-in-...

It was likely DPKR.

I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...

Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.

I had a [similar](https://dev.shivagaire.com.np/linkedin-client-rce-backdoor-n...) encounter before. Jobs are scarce and this kind of targeted dev attacks semms to be more frequent these days.

This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK

I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?

"Recruiters" are getting sophisticated.

I spoke on the phone with "Singapore based recruiters" a couple of times who wanted my services as a consultant for "advanced applications for semiconductor devices."

Turns out they were just fishing for inside information on my employer's end customer's applications.

It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.

I don't have a LinkedIn profile.

~50% of jobs listed on who is hiring every month require a LinkedIn profile to submit a job application.

In order to find a job, one must bend the knee to LinkedIn first and subjugate themselves to the political (all sides) propaganda on the feed.

Smells like contagious interview campaign by DPRK folks. They have been doing this for a while. Even using IDE settings, Claude hooks for malicious code execution.

I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".

Western governments should treat large-scale scammers and the countries that protect them as an act of war.

This is the first time i have heard of this type of scam so horrible like people need to be careful on both github and linkedin

Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.

> So far nothing has changed and the code is still up.

That sucks, but it seems to be par for the course, these days.

> but on a more tired or rushed day

This has nearly gotten me before, and I got lucky.

Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.

The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Github is really slow when it comes to malicious repos. You'll probably get an email randomly six months from now when they finally see it.

It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.

Yes, throwaway VPS for interview coding tasks should be the new norm.

I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.

I feel like there's only going to be more attempts like this, given the state of how many recently made redundant software engineers out there, and the level of desperation to find a job.

I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on.

The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.

So the backdoor isn’t in the offer but came per offer

I wonder if an antivirus software would catch this..

It would have been game over for me.

With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.

Stay vigilant out there everyone.

Something similar happened to a friend, repo https://github.com/momonity/cryptoskope/

Would highly recommend running any repo in an isolated environment like a vm

Honestly, I would have given up before starting. You spend time and effort on these cases only for the company to say "Unfortunately..."

> so just installing dependencies executes the backdoor.

How anybody in their right mind still uses this tech stack is beyond me.

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Remember to treat every size on the internet as an adversary, even if they weren't in the past.

I'm a simple man. I see crypto currency and I move away from what looks likely a social scam.

Sure, that might have been the one chance in a life time to easy big money. Or just a path to financial big troubles.

Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?

I'm working 3 remote jobs right now and I can tell you guys to really watch out.

Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.

They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.

I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:

- Don't stay loyal to your employers.

- Don't stay honest to those don't value it.

- Don't stay complacent always innovate.

More reasons for me to dislike linked-in. I have an account. I hate it.

the entire internet is just phishing at this point