DEV Community

Cover image for I Was Given a “Job Assignment” That Installed Malware
Michael M
Michael M

Posted on

I Was Given a “Job Assignment” That Installed Malware

#security #nodejs #npm #infosec

Here’s What Happened and What I Did To Handle It

A few days ago, a supposed recruiter contacted me on LinkedIn for a “Web3 Full Stack Developer” role. Everything seemed normal; the messages were professional, the challenge looked legit, and they shared a Bitbucket link to a Node.js project for a take-home assignment.
The PDF instructions looked like a typical coding test:
Add wallet connection functionality

  • Build a simple Notes CRUD API
  • Show a demo video via Loom
  • Nothing suspicious; until I ran npm install.

What Happened After Running npm install

Almost instantly, I noticed abnormal activity:

  • Multiple Node processes started in the background
  • nethogs showed outbound traffic even after closing my terminal
  • CPU usage from /home/michael/Development/poc_v2394 kept increasing
  • A script named mainThreadFallback.js was loaded unexpectedly

After digging deeper, I discovered a malicious script that was quietly searching for sensitive files like .env, SSH keys, and browser tokens….. then attempting to exfiltrate them to a remote cloud server.

It mimicked legitimate dependencies but ran post-install hooks through a hidden script, making it look like part of the build process.
Once confirmed, I immediately isolated the directory, stopped all related Node processes, and scanned for lingering connections using:

sudo ss -tnp
ps -ef | grep node
Enter fullscreen mode Exit fullscreen mode

Every malicious PID was tied to that project path.

What I Did Next

  1. Killed every suspicious process: pkill -f poc_v2394
  2. Removed the infected folder entirely.
  3. Revoked and regenerated SSH keys (both personal and server-side).
  4. Reset tokens from GitHub, servers, and cloud services.
  5. Audited network connections (ss, lsof, netstat,nethogs ) for hidden Node instances.
  6. Cleaned global npm cache and removed possible global infections: npm cache clean --force & sudo rm -rf ~/.npm ~/.cache
  7. Rebooted and verified all background processes

What do you think? Should I have take more, additional steps?

Aftermath

When I told the “recruiter” that his project contained malware, he immediately blocked me. That was the final confirmation that it was bad news.

The assignment was nothing but a social engineering trap targeting devs; hiding data-stealing malware inside a fake “job challenge.” While not uncommon especially considering the uptick of DPRK driven exploits, this seemed to have caught me off guard.

It was a modern, targeted attack on engineers who trust shared repositories from supposed employers.

Lessons for Developers

  • Never run npm install blindly on code you didn’t verify.
  • Always inspect package.json and look for suspicious postinstall scripts.
  • Use --ignore-scripts flag on unknown projects

What else did I learn?

Dark Times Ahead!!!

This was a targeted exploitation of developer trust. Recruitment scams are very present and evolving: instead of phishing emails, they now use take-home tests to infect machines and extract credentials. And LinkedIn is their breeding ground.

If you’re a developer, stay paranoid, sandbox unknown projects, and never trust code just because it came from a “recruiter.”

Top comments (0)