Unemployed and looking for a job? Beware of fake recruiters sending coding challenges loaded with backdoors to steal your crypto and SSH keys.
Are you hunting for jobs on LinkedIn, hoping for that sweet $200k remote gig? Don't pop the champagne just yet when a recruiter slides into your DMs with an "exciting opportunity." It might just be an elaborate setup to drain your crypto wallet and steal your SSH keys.
Let’s dive into a sophisticated cyber scam that has been making waves in the dev community, where a recruiter's coding test turned out to be a malicious backdoor trap.
It all started when Roman, a software engineer, received a very professional message on LinkedIn. The recruiter offered a high-paying role and, after a brief and convincing conversation, sent over a zip archive containing the "technical assessment" or "project files" to review.
For many eager developers, the instinct is to download, extract, and run npm install or setup scripts immediately. Fortunately, Roman had his spider-sense tingling. Instead of blindly running the code, he decided to inspect what was under the hood.
What he found was a classic, yet highly dangerous backdoor. The malware was embedded directly within the project's initialization and build scripts. The moment an unsuspecting dev runs the installation command, the script triggers silently, scanning the local machine for environment variables, browser session cookies, and private SSH keys, before shipping them off to the hacker’s command-and-control server.
The story quickly exploded on Hacker News, garnering over 1000 points. The community split into several fascinating discussions:
Let's wrap this up with some practical survival advice. In a tough job market, scammers are exploiting our eagerness to find work. To keep your system safe:
.env files lying around in plain text.Stay safe out there, and happy hunting!
Read the full technical breakdown of the backdoor at: roman.pt