> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”
> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.
> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.
> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.
Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.
LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page.
We've had fake recruiters that claim to work for us running basically the same scam. These are great fake profiles: LinkedIn Premium, tons of relevant posts, etc... but they don't work for us, and we get angry messages from people saying our recruiter tried to scam them. No, they're not our recruiter despite showing up on our company page on LinkedIn. No number of reports could get them taken down.
I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn, but not all startups have that connection!
Friends don't let friends ise NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious amd frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.
Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
surprise is unwarranted as linkedin enshittifies. This type of thing is exactly what happens when neither the user of the service, nor the third party commercial interests are being served by the commercial enterprise. It's a vacuum that scams enter into.
So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
You won't hear back from them, though. But, at least for US citizens (and possibly for anyone?), this is as far as I know the closest thing there is to an "Internet 911".
secondary is the effort asymmetry between spinning up one of these scams (near 0 effort) and catching/prosecuting these scams (big effort, astronomical cost)
you arent getting jail for life for this, even in the extremely remote chance you are caught. you are probably getting more than one guy's computer, though.
I don’t know but the us kidnaps ehhh arrests people on foreign land on a regular basis… and brings them to the US to stand trial. So if it’s “important” enough it will be aced upon…
To put it bluntly and perhaps a bit cynically, on the tree of bad things that people do to other people, this is pretty high-hanging fruit. Right up there next to scam phone calls that prey on the elderly while claiming to be from Microsoft support.
It's basically impossible to catch suspects because they are either smart enough to cover their tracks very well, or (more often) live in countries whose governments don't care about their citizens (even pay them for) scamming westerners.
Hard disagree on the scam phone calls. It would be trivial to eradicate them almost completely if the phone operators did the bare minimum to fight against it. At any point in time, any given US phone number is handled by exactly one phone carrier. There is nothing stopping that carrier from requiring name and address to issue that phone number. They already do for 99.99% of their legitimate customers. It would be very easy to make it so that every single phone call originating from the US, including all VOIP calls made with US phone numbers, can be traced back to a specific business or person that can later be sued or prosecuted.
And no, number spoofing isn't an excuse either. We literally solved the much harder problem of email spoofing already. There are, what, 3 carrier networks in all of US? And they cannot do with each other what DMARC did for the hundreds of thousands disjoint organizations that comprise the internet? Please.
Wonder if they’re effective in going after reports. I’d still report to IC3/FBI/powers that be, too. Just in case someone somewhere has the resources to do something… perhaps a high hope
I get more calls from Google Security than any other thing. Oddly the Pixel's built in scam detection and call screening lets them through without fail. I normally don't have my phone even ring unless it's in my contacts, but saying you are calling from Google is like a magic code.
I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
Remember to use protection when meeting random people, and putting their junk deep inside your computer!
Or running random curl | bash scripts from GitHub, AUR, NPM are just as bad but many developers here still have dubious assumptions on this bad practice.
The last few weeks tell us how bad this is especially with all the mini-shai hulud's running around.
It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
AFAIK most malware like this first sends the contents of your environment variables, ssh keys, passwords, etc. to the server, and then sets up a persistent process that executes arbitrary commands received from the attacker's server at any time, allowing them to run whatever else they want
I once saw an ad on LinkedIn made up to look like the CBC (Canadian news) linking to a fake video of the Canadian prime minister announcing a crypto investment plan for all Canadians, with a link to sign up. I reported the ad to LinkedIn and shortly after got a reply telling me they investigated and didn’t find any violation of their policies.
Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?
Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.
With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.
As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).
They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of "downloading" their VPN was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):
> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.
> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.
> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.
Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.