Today I received an Upwork job invite titled
“Experienced Node.js Coder Needed for Bug Fix”
with a tempting $760 fixed price and a Dropbox link to the code.
It looked normal at first, but a few details didn’t sit right:
- đź’¸ Unrealistic budget for a simple bug fix.
- 📦 The client insisted I download and run a ZIP immediately to “see the error.”
- 👤 Profile not payment verified and brand-new.
Instead of running it, I inspected the archive without executing anything.
Here’s what I found:
- node/helpers/css.js reads a “CSS” file (public/css/types.txt) and runs it with eval() only on Windows.
- types.txt isn’t CSS at all—it’s obfuscated JavaScript that
- extracts hidden ZIPs (js.zip, node.zip, i.zip),and silently spawns Windows executables via cmd.exe /c start.
- The project even bundles a 7-Zip binary so it can unpack those hidden files locally.**_
That pattern—obfuscation + hidden zips + detached .exe launch—is exactly how a dropper/backdoor works.
I’ve flagged the job and reported it to @Upwork Trust & Safety so they can warn others.
🔑 Takeaways for fellow freelancers
- Never run code from strangers without first looking inside (even on trusted platforms).
- Watch for red flags: unverified payment, big payout for trivial work, pressure to run code immediately.
- If something feels off, stop, inspect, and report.
Stay safe and keep each other safe.
Top comments (0)