Here’s What Happened and What I Did To Handle It
A few days ago, a supposed recruiter contacted me on LinkedIn for a “Web3 Full Stack Developer” role. Everything seemed normal; the messages were professional, the challenge looked legit, and they shared a Bitbucket link to a Node.js project for a take-home assignment. The PDF instructions looked like a typical coding test: Add wallet connection functionality
- Build a simple Notes CRUD API
- Show a demo video via Loom
- Nothing suspicious; until I ran npm install.
What Happened After Running npm install
Almost instantly, I noticed abnormal activity:
- Multiple Node processes started in the background
nethogsshowed outbound traffic even after closing my terminal- CPU usage from `/home/michael/Development/poc_v23…
Here’s What Happened and What I Did To Handle It
A few days ago, a supposed recruiter contacted me on LinkedIn for a “Web3 Full Stack Developer” role. Everything seemed normal; the messages were professional, the challenge looked legit, and they shared a Bitbucket link to a Node.js project for a take-home assignment. The PDF instructions looked like a typical coding test: Add wallet connection functionality
- Build a simple Notes CRUD API
- Show a demo video via Loom
- Nothing suspicious; until I ran npm install.
What Happened After Running npm install
Almost instantly, I noticed abnormal activity:
- Multiple Node processes started in the background
nethogsshowed outbound traffic even after closing my terminal- CPU usage from
/home/michael/Development/poc_v2394kept increasing - A script named
mainThreadFallback.jswas loaded unexpectedly
After digging deeper, I discovered a malicious script that was quietly searching for sensitive files like .env, SSH keys, and browser tokens….. then attempting to exfiltrate them to a remote cloud server.
It mimicked legitimate dependencies but ran post-install hooks through a hidden script, making it look like part of the build process. Once confirmed, I immediately isolated the directory, stopped all related Node processes, and scanned for lingering connections using:
sudo ss -tnp
ps -ef | grep node
Every malicious PID was tied to that project path.
What I Did Next
- Killed every suspicious process:
pkill -f poc_v2394 - Removed the infected folder entirely.
- Revoked and regenerated SSH keys (both personal and server-side).
- Reset tokens from GitHub, servers, and cloud services.
- Audited network connections (ss, lsof, netstat,nethogs ) for hidden Node instances.
- Cleaned global npm cache and removed possible global infections:
npm cache clean --force&sudo rm -rf ~/.npm ~/.cache - Rebooted and verified all background processes
What do you think? Should I have take more, additional steps?
Aftermath
When I told the “recruiter” that his project contained malware, he immediately blocked me. That was the final confirmation that it was bad news.
The assignment was nothing but a social engineering trap targeting devs; hiding data-stealing malware inside a fake “job challenge.” While not uncommon especially considering the uptick of DPRK driven exploits, this seemed to have caught me off guard.
It was a modern, targeted attack on engineers who trust shared repositories from supposed employers.
Lessons for Developers
- Never run
npm installblindly on code you didn’t verify. - Always inspect
package.jsonand look for suspicious postinstall scripts. - Use
--ignore-scriptsflag on unknown projects
What else did I learn?
Dark Times Ahead!!!
This was a targeted exploitation of developer trust. Recruitment scams are very present and evolving: instead of phishing emails, they now use take-home tests to infect machines and extract credentials. And LinkedIn is their breeding ground.
If you’re a developer, stay paranoid, sandbox unknown projects, and never trust code just because it came from a “recruiter.”