[wxw]

> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”

> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.

> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.

> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.

Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.

[pants2]

LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.

We've had fake recruiters that claim to work for us running basically the same scam. These are great fake profiles: LinkedIn Premium, tons of relevant posts, etc... but they don't work for us, and we get angry messages from people saying our recruiter tried to scam them. No, they're not our recruiter despite showing up on our company page on LinkedIn. No number of reports could get them taken down.

I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn, but not all startups have that connection!

[tweetle_beetle]

LinkedIn didn't even disavow people pretending to work for LinkedIn until someone had too much fun with it - https://chrisduffycomedy.com/blog/2016/11/2/6-months-as-the-...

[rendaw]

What happened in the end?

[throwa356262]

Microsoft bought LinkedIn.

He got a huge package.

Everyone lived happily ever after.

(LinkedIn eventually locked and then deleted his account, https://awesomeatyourjob.com/1140-bringing-more-laughter-fun...)

[rootsudo]

That’s funny, thanks for that.

[underlipton]

>I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn

I'd like people to understand that this is a form of corruption. We've normalized many like it. LI knows that the only way to force them to fix the issue is to go through a drawn-out legal process, save a spate of bad press (RIP 60 Minutes), so of course they won't.

[jrockway]

I agree with you. I used to work for an ISP that sold kind-of overpriced 1Gbps connections and always wondered why customers bought it. Probably helping things was that we took them out to "events", floor seats at basketball, etc. The company just has a fixed expense, but the people making the decision get free stuff that makes them feel important, and it was kind of a way of transferring the company's money (by not buying the $29/month Internet connection) to themselves. I never felt good about it, but if you say that out loud, everyone will look at you like you're crazy.

AWS did this for us at the time but the 3 people in the company that used AWS services never got to go to these things. So I doubly don't get it.

[idiotsecant]

Vendor bribe swag is basically ubiquitous in the industrial world. When I worked in oil and gas it was quite common for a vendor to do a 'lunch and learn' where they bought the whole office very good lunch and we listened to them pitch whatever product line they wanted us to specify for design customers. I work in a more socially responsible but less lucrative industry now and alas no vendors buying me lunch

[sensanaty]

My last 2 companies, LinkedIn asked me to add an email address associated with the said company and actually confirm via said email in order to add them to my profile. So, if I worked for FooCompany, I had to have a @FooCompany.com email which is setup by someone at the company itself. Does this not cover what you're talking about?

[pants2]

According to my research, LinkedIn only does this for executive and now recruiter-like titles, but not broadly. You may be able to in order to get "verified on LinkedIn" but it's not a requirement for showing association with a company.

https://www.theverge.com/news/771210/linkedin-recruiter-exec...

[jamesfinlayson]

I'm bottom of the ladder but have seeing the option to do it for at least a year.

[kortilla]

If it’s an option and not required, then that doesn’t solve it.

[psychoslave]

Any clue what’s there "Persona" program that they are trying to push hard "so you can have so much positive leads"?

[freeopinion]

You mean @fooco.com? Or @foocousa.com? Or @fooco.xyz? @fooco.ai? @foocoltd.net? @foo.co.uk?

How would LinkedIn validate that your email domain belongs to the company you claim to work for?

[HelloNurse]

With a company-managed list of owned domains where real employees have their work email addresses (unrelated to website domains).

[jaapz]

And using DNS to prove that a domain is actually owned by this organization

[HelloNurse]

Email domains of employee addresses aren't necessarily owned by the company. For example:

  - a startup with legacy personal email addresses from one or two universities
  - a spin-off sharing the email domain (and the whole IT infrastructure) of the parent company
  - cheapskates using six approved free email services

For security purposes, on the other hand, the important part is proving that the LinkedIn account is owned by the organization.

[DaSHacka]

Presumably because the official company page is registered under it?

[account42]

Not all companies use email addresses under the same domain as the "official company page" though.

[sensanaty]

What HelloNurse said, whoever it is that runs the company page on LinkedIn provides a list of domains that they consider theirs.

[3abiton]

I have the same. The difference is, if you do email verification, you will "verified" status. If not, you can still add the company to your linkedin, just unverified, which is not a label.

[SanjayMehta]

I had a LinkedIn account connected to my company email and one day I found myself locked out.

They want me to upload a govt id and blink my eyes in a video to get unlocked.

They can go jump.

[teiferer]

> got it solved by buying drinks for a buddy of mine that works for LinkedIn

That it requires you to buy your buddy a drink says it all. They should have taken the general issue to their higher ups, fixed it for you and then bought you a drink. Or dinner, on LinkedIn's dime.

[dspillett]

> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.

It isn't at all a neat solution, but you could maintain a list of users on LinkedIn that are authorised to speak for your company, linked prominently on your profile with a warning that anyone else claiming to work for the company is likely a scammer but LinkedIn offers no way for you to stop them claiming to be part of your company.

If that became a common pattern it could highlight how much of a scammer paradise LI can be and maybe they'd be more likely to do something about that particular vector.

[dainank]

I know it is only a partial solution, but I saw with some companies that LinkedIn provides a way to verify a user works at such a company. This is done via sending an email to a company domain email address (supposedly yours that you provide), and then approving it from your work laptop. I guess the administrators of the company account on LinkedIn can determine which domains are allowed for this.

The only way this could be abused is if the administrator accounts on LinkedIn itself get hacked and temporarily other email domains are added to the whitelist (or if an approved user themselves got hacked on LinkedIn [or their work email for that matter]). These are all the usual vulnerabilities in any system.

I understand that it would be too extreme to only allow users to claim they worked at a company if this verification is done, but maybe putting a warning if you get a message from a recruiter/someone that has not verified they work at their 'present' company could go a long way (instead of right now tucking away the verified logo quietly on their profile page).

[sph]

> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.

I had the opposite problem: my company name was equivalent to the owner of an online casino. It took me a year to figure out that the enormous amount of spam I was getting about ‘guest post placement’, and people contacting me about deals was because Linkedin put me among the list of the casino employees. As I was Director of my company, I was the most valuable prey for business spam.

I fixed the problem by deleting my account, but now I’m in all the shittiest of spam lists for eternity. I don’t know how do they even harvest emails from Linkedin.

[latexr]

> I don’t know how do they even harvest emails from Linkedin.

https://haveibeenpwned.com/Breach/LinkedIn

[kitse]

this is from 2016. at time they had ~400 million users,and the breach is 164 million, Now it's close to 1.5 B. People these days use aggregators like Apollo, signal hire, apify. There are 1000s of such tools.

[medwards666]

I had it several years ago when I was running my own one-man consultancy [ie: self-employed] ... somehow I'd managed to have six or seven people on LI claiming to work for the same company.

Reported them to LI and nothing was ever done about it. Eventually the accounts disappeared as I guess they were either shut down or repurposed.

[ChrisMarshallNY]

> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.

I remember getting an office manager, working from Dubai (I think), for my one-person, basically nonexistent company, working from my living room, in New York.

She may still be there. I never bother checking into LI, except making an occasional post, every few months.

[cbm-vic-20]

I was looking for people who I had worked with at a company that was acquired 15 years ago, and some random person claims to be the CEO of that company.

[monksy]

Yet they'll go after fun users that make paraody pages saying they worked at places during huge failures. I.e. Dan Woods. (he's the guy that said he worked at aws for a month and then us-east1 went down, etc)

[prawn]

How does that not become a legal issue?

[pants2]

Who are we gonna sue? LinkedIn? I think my place of employment has better things to do than sue Microsoft.

[tliltocatl]

I wonder if a cease and desist to their legal department would work better?

[ian_holt]

<I wonder if a cease and desist to their legal department would work better?>

I assume you mean the LinkedIn legal dept. The problem there is that these companies are so big that a 'complaint' or 'cease & desist' to them would be like a mosquito bite, if that, & most likely get lost in the 10s of thousands of other complaints.

It's the same with FB & Insta, etc. One of my daughters had a FB acct taken over that she had accumulated quite a following (~100k plus) with her custom hand drawn artwork. It was impossible to get any acknowledgement of the issue let alone get a suitable solution. And, unfortunately these large companies do not care. Sometime makes you wonder if LinkedIn & the like are even worth it

[throwaway7783]

LinkedIn doesn't have any redressal mechanisms for anything. Someone I knew went through a lot of abuse by a LI user and kept making new accounts to harass. LinkedIn's response - "We did not find anything that violates our ToC". No wonder it has become a cesspool of spam, fraud and abusers.

[gleenn]

Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.

Edit: typos

[afpx]

Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.

[jjice]

They have some changes here in v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-c...

[WalterGR]

And the discussion here, with 215 comments: https://news.ycombinator.com/item?id=48467705

[sheept]

Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.

[evilduck]

This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?

[sheept]

People will not adopt a safer version if it broke their workflows. Adoption is part of preventing supply chain attacks.

[idiotsecant]

They will if it's the only version. Eventually.

[evilduck]

Sure they will. When the real or perceived cost of addressing supply chain attacks exceeds the cost of changing tooling workflows, they will switch.

[winddude]

> Friends don't let friends ise NPM

or linkedin

[jzig]

I don't have friends, therefore I must use LinkedIn to get a job. Hooray!

[teiferer]

I know you are joking, but there is something about this that I really don't get. "Friends" here really means "a professional network". Many nerds despise having one or maintaining/building one. At the same time, people pour weeks/months/years of their life into optimizing their modest investment portfolios. 0.01 percentage points of yearly cost differences of some passive ETF. That surely compounds. But you know what also compounds? Knowing somebody who knows somebody who has $skill or $job_posting. In a big way. Your work comp is still the biggest source of income for most, but investing into optimizing it by broadening your network is something people don't want to do. They'd rather discuss the tax implications of nuances of some investment portfolio.

[philote]

I don't disagree, but broadening your network is a very different skill (being social) than handling investment portfolios. And for some of us, it's not that we necessarily despise creating or maintaining a network, it's that we suck at it.

[teiferer]

And that's my point. Putting just a little bit of minimal effort pays off much more than micro-optimizing some etf investment. Big time.

[nijave]

>These tools with arbitrary code execution when trying to download some code have got to stop

But you still end up with the code on your machine and risk it being ran.

Bigger issue is giant, inscrutible dependency trees.

In this example, if they tried to run the test suite or application, they'd have been in the same boat.

Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.

[gleenn]

Claude Code regularly installs dependencies using (p)npm after I e.g. pull a company main branch to get in sync with my teammates. That happens often. So I pull, Claude edits some code as you requested and it should pass because Claude did alright, but your local box has out-of-date deps. So then Claude runs (p)npm i and now we have automatic exploitation of this gaping hole in npm given extremely common and current AI tooling. Someone has to figure out how to stop AI from running that command or NPM needs to stop that behavior, and I guarantee you it will be easier to get one tool to change than all AI.

[nijave]

The lockfile should protect you there. It'd only be an issue if you're working on updating dependencies in which case there's other protection like min-release-age

If pulling down your company repo and running `npm install` can lead to a compromise, something has went terribly wrong with your company's security setup.

[0x20cowboy]

I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now.

All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised)

[schrodinger]

IYKYK

[PennRobotics]

Thanks for the reminder. I installed npm yesterday to extract Electron app contents and forgot to remove it afterward.

[mhitza]

Things like this where a tried and tested method on Upwork, particularly in the 2021-2022 crypto/nft highs. At some point they branched out from crypto projects and cast a wide net across different categories.

Last I recall was a download of a windows scr (screensaver masquerading) file.

Linkedin is a new low, and I'm sure the platform doesn't really care (look, more jobs), just as ad network companies (Google, Meta) don't really care about scam ads.

[democracy]

I reported a fake costco website ad (cc harvester) to Google, their response was something along "we cannot verify the ad", go figure

[Grimburger]

I've been freelancing for over a decade. This stuff is every third crypto related job. They're all malware repos running scripts the moment you turn on vscode hoovering up everything they can on your computer.

It's the least surprising thing once you've put yourself out there, very strange watching people here think it's novel, I expect it by default at this point, a stranger handing you code needs to go into a vm, would you let them hand you some candy with a wink too?

[firefax]

I've had people phish for my email then hit that with some bullshitpowershellladendoucument.pdf.docx crap, but sending it directly in the IM?

Bold strategy cotton, let's see if it pays off.

[red-iron-pine]

while working at a Fortune 500 MNC, gig before this one, I used to get LinkedIn hits from recruiters.

never got serious ones before, the occasional, useless headhunters who are clearly not based in the same country, but these were different. They were big companies in Canada, ones I'd definitely heard of and even applied to in the past. They were direct, were recruiters for those companies themselves, and were plugged in, able to answer questions, and engaging.

they constantly sent job ads, but only via .pdf files. I even pushed back on one and said I don't open random pdfs, send me a link and they declined. Same recruiter hit me up for a similar role a month later, also via pdf.

Multiple other members of the IT org, esp. the security and infra teams, also reported similar, aggressive recruitment efforts with pdfs. This was around 2020-2021.

[quietsegfault]

I recently went through an interview—o-thon and got a couple obvious scammers. I hope it’s because it’s more prevalent, and not because I seem stupid enough to fall for it!

[coip]

It’s been this bad for a little while, iirc have seen a few of these pop up over the last few years. And that’s just for the few someone’s caught/documented

[burnte]

I haven't been phished like this but I've certainly had fraudsters try to con me into meetings or schemes, etc.

[zkmon]

I stay away anything that needs npm. I regularly scan for node-modules folders and rm -rf it.

[DonHopkins]

> a recruiter at a small crypto startup

That's all you need to know they're criminals and frauds.

[cyanydeez]

surprise is unwarranted as linkedin enshittifies. This type of thing is exactly what happens when neither the user of the service, nor the third party commercial interests are being served by the commercial enterprise. It's a vacuum that scams enter into.

[bee_rider]

LinkedIn is unusually resistant to enshitification; it started that way.

[citizenpaul]

I'm not. I call it identitythiefresourcecenter.com or its shorter name freecriminalresource.com

I hate how normalized it became for "HR" to require you having a LI page for a job. I don't think its as bad now but for a while it was essentially not possible to get a job without putting all your personal info on linkedin.