alt Hacker NewsA backdoor in a LinkedIn job offer
Comments
So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
Job candidates keep facing a lot of hurdles, including scams, Trojan horses like the one presented here, ghosting, wasting candidates' time, nepotism, etc. As a candidate you can easily spend more than 8 hours a day looking for opportunities, switching stacks, studying, doing take-home projects, etc, for absolutely nothing. Life is precious and shouldn't be burned like that!
The difference between pre- and post-chatbot writeups is stark: https://igor-blue.github.io/2021/03/24/apt1.html
$100 says OP is Claude
This type of attack has been happening a lot the past 2 years. I've seen one that was very well done...the GitHub account of a fairly well known security researcher had been compromised...their identity and code was being used as part of the recruitement. I reached out to the person...who was understandably embarrassed and told me they had reported this to LinkedIn + Github but saw no action.
This is the part that really irks me: LinkedIn and Github know this is the end goal of many of the rampant supply chain attacks but they a) don't have a first class mechanism for reporting b) don't seem to be improving their systems or even warning people. I have been hit be this enough times that I follow along to get screenshots of the scammer. One might think with all the surveillance systems Microsoft/LinkedIn/Github/Google-Meet/Calendly have in place that a potential victim reporting it along with an actual picture of the scammer could get us somewhere.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Oh, Microsoft.
I wonder if I should submit this to HN: https://www.linkedin.com/pulse/your-data-being-stolen-right-...
Because there's a massive bot network operating on LinkedIn right now... and I'm tired of interacting with it every day.
This is uncomfortably close to a normal interview task now.
Someone sends you a repo, says the install is broken, and asks you to take a look.
A lot of developers would run rpm install before thinking twice, especially if they were tired or looking for work.
They seem to using the same domain for multiple targets: reddit thread from 3 months ago:
https://www.reddit.com/r/openclaw/comments/1rlet0h/someone_t...
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
Remember to use protection when meeting random people, and putting their junk deep inside your computer!
Been through this 3 times in the last 6 months. They're getting better. Very credible LI profiles, code looks OK if you only take a glance... The bell start ringing when they insist you to run locally their sh*t
Why is npm still not blocked by every OS on earth is beyond me. These guys will never learn.
Hm, the url returns a png. Did he obscure the actual url? Couldn't get it to send me json or js...
Update: found a clone of the repo on github and got the payload, all you have to do is add a header `bearrtoken: logo`
It's obfuscated, I will feed it to qwen to see what can be gleaned.
this happened to me too. few things about the process made me suspicious. i downloaded the repo and told claude to "find the malware". took about 15 seconds. remote code execution that would have run upon npm install, iirc. many layers of obfuscation. in implementation, a little different to the op's situation but there are similarities. it was a "crypto startup". maybe they think people in crypto world are more forgiving of idiosyncrasies in the recruiting process? i reported the recruiter's profile to linkedin, with extensive details. they said they wouldn't look into it unless i opened a ticket in some other part of their site, lol. however it seems they got onto it, or someone else complained, because i can't find the recruiter "alice kenny" anymore. but the "company" she was recruiting for is still live:
https://www.linkedin.com/company/blockchainaustraliasolution...
I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.
I had a similar experience, just by email.
https://blog.denv.it/posts/i-was-likely-targeted-by-dprk-in-...
It was likely DPKR.
Im not sure if anyone will read this, but I consider myself pretty savvy having been on the internet over decades however I nearly succumbed to a highly complex Linkedin "Interview with video call just to get me to install malware".
It was the most bizarely long roundabout way to get me to isntall malware I had ever witnessed I couldnt fathom it was real, I mean they interviewed me for half an hour. Now you might think Im paranoid however it was obvious, their camera was off ( personal preference they said) and well I allowed it... only for other eventual straws to breal the camels back, and I realised "oh uh oh this is just 2 strangers trying to get me to install crap on my laptop for wealth extraction".
I was flumoxed tbh I couldnt believe it, as the approach had been very organic, through Linkedin Dms, just that eventaully I realised I had succumbed to "yes men" ( the only thing that would get passed my already strict job filters ironically) to allow myself into such a comprimising situation.
The only question I had is how did they do such a smooth complex manouver and then I realised... oh they just used AI to come up with the plan and implementation.
I work in crypto and this is happening practically every other day. I refuse anyone on LinkedIn that I don't know personally and has web3 or crypto anywhere in the description. It's all fake accounts with fake job offers. It's a pretty known scam.
This is a common one. I've had at least half a dozen of them. If I'm bored, I play along, and then play difficult and dumb and see how long it takes until they give up.
Some of these will happily get on "interview" calls etc.
For some reason, most (but not all) of them have the same telltale signs of looking for someone to work on a web3/crypto gaming project.
This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK
"Recruiters" are getting sophisticated.
I spoke on the phone with "Singapore based recruiters" a couple of times who wanted my services as a consultant for "advanced applications for semiconductor devices."
Turns out they were just fishing for inside information on my employer's end customer's applications.
I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?
I've pretty much have had the same thing to me happen on Fiverr about 10 months ago.
I even did a write up. It was one of the first reverse engineerings I've did. https://gist.github.com/Throvn/97fcb4981c1ff66725d4b2e408ba0...
I don't have a LinkedIn profile.
~50% of jobs listed on who is hiring every month require a LinkedIn profile to submit a job application.
In order to find a job, one must bend the knee to LinkedIn first and subjugate themselves to the political (all sides) propaganda on the feed.
Worth noting that, this isn't just a risk with npm or other package managers. If you're using LLM agents in the directory of a cloned repo, there's risks in skills, hooks etc automatically executing..
Martin from GitHub here - the offending repos have been taken down, but the article from Roman is still very much worth reading to understand the attack vector attempted.
Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.
It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Github is really slow when it comes to malicious repos. You'll probably get an email randomly six months from now when they finally see it.
I can not imagine a situation where some random person messages me on linkedin asking me to solve a coding challenge, and I do anything other than block them.
I'm seeing the same. Worth flagging that maintainers seem to be a specific target now, not just job seekers. If you've got commit access to anything popular, backdoors like this become a lot more dangerous, because the supply-chain payoff is much bigger than your laptop
It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.
Yes, throwaway VPS for interview coding tasks should be the new norm.
I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.
Smells like contagious interview campaign by DPRK folks. They have been doing this for a while. Even using IDE settings, Claude hooks for malicious code execution.
> I’ve heard of these attacks and read about them on HN
And, I am reading this on HN right now. What a coincidence!
I read a lot about social engineering and how the human being is considered the weakest layer in the security chain but this is the first time I've came across this pattern. Eye opening indeed.
I had a [similar](https://dev.shivagaire.com.np/linkedin-client-rce-backdoor-n...) encounter before. Jobs are scarce and this kind of targeted dev attacks semms to be more frequent these days.
> but on a more tired or rushed day
This has nearly gotten me before, and I got lucky.
I didn't read everything, but I had a DM offering a gig a few weeks ago, and asked me to check out a React site/app. I cloned it and it looked dubious; replied I pass.
Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.
The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.
> So far nothing has changed and the code is still up.
That sucks, but it seems to be par for the course, these days.
> recruiter at a small crypto startup
That's your first red flag right there.
> but on a more tired or rushed day, I could easily have run npm install before thinking it through
LinkedIn offers are mostly eiter scam or just for promotions
How about running that backdoor from a honeypot and check what it is trying to do?
> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”
> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.
> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.
> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.
Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.