A backdoor in a LinkedIn job offer

Original Article ↗ Hacker News Discussion ↗

Attack pattern and prevalence

  • Many commenters report nearly identical scams: LinkedIn (and sometimes Upwork/email) “recruiters” for crypto/web3 jobs sending repos or “VPN clients” and pressuring candidates to run code locally.
  • Tactics include: broken PoC repos, “please fix deprecated modules / broken install,” fake VPN download scripts, and projects that prompt wallet connections or IDE auto-scripts.
  • Several note this is now common, especially around crypto and gaming, and specifically targeting developers and maintainers who may hold credentials or supply‑chain access.

Technical vector and npm/supply-chain risks

  • Core vector: malicious npm lifecycle scripts (prepare etc.) that run on npm install, giving remote code execution and data exfiltration/persistence.
  • Some argue this is a design flaw of npm; others say any build/test system can run arbitrary code, npm is just the most popular and churn-heavy.
  • Discussion of npm v12 “more secure defaults” and the trade-off between breaking workflows vs. reducing attack surface.
  • LLM agents that auto-run npm install in repos are called out as a new risk amplifier.

Platform behavior: LinkedIn, GitHub, Microsoft

  • Multiple reports that malicious repos and fake recruiter accounts remained up after being reported; removals are slow or absent.
  • LinkedIn criticized for: weak identity verification, no way for companies to disavow fake employees, poor abuse redress, and a growing volume of scams and low‑quality job content.
  • GitHub’s handling of malicious repos is seen as laggy; some suggest DMCA is ironically more effective than abuse reports.

Law enforcement and “cyber 911”

  • Consensus that this is clearly criminal, but practical enforcement is rare, especially when attackers sit in uncooperative jurisdictions.
  • Debate over a global or national “cyber 911” for coordinated response, vs. skepticism about funding, abuse, and government overreach.
  • US resources like FBI/IC3 are mentioned; experiences range from “useless” to occasionally helpful.

Impact on developers and defensive practices

  • Harsh job market and desperation make people more likely to overlook red flags; some recount nearly falling for these scams.
  • Suggested defenses: never run untrusted repos on your main machine; use VMs/throwaway VPS; read install/test scripts first; refuse to run code as part of an unscreened “interview.”
  • Some advocate minimizing dependencies and package managers, or scanning and sandboxing all dev tooling—“antivirus for developers.”