A backdoor in a LinkedIn job offer
Points and comments are a snapshot, not live.
A LinkedIn job offer repo contained a backdoor that executed automatically on npm install.
The author received a LinkedIn message asking to review a GitHub repo for "deprecated Node modules." Suspicious, he used a read-only agent (Pi) to scan the code. The agent immediately flagged a backdoor in `app/test/index.js`, which assembled the URL `https://rest-icon-handler.store/icons/77` and executed arbitrary code from the server. The `prepare` script in `package.json` ran `node app/index.js` after `npm install`, automatically triggering the payload. The repo's commits were attributed to a real developer who had been impersonated, and the recruiter's profile belonged to a journalist. The author reported the repo and recruiter but no action was taken.
What commenters are saying
Commenters warn that this is a common attack vector for npm authors, often targeting desperate job seekers. Many note the backdoor likely steals environment variables, SSH keys, crypto wallets, or enables supply-chain attacks. There is debate about the lack of a global cybercrime reporting system; some mention IC3.gov but acknowledge that perpetrators operate from countries with little extradition risk. A few suggest using Docker or sandboxing for any code review.