OMG, this is an absurd by design... the C2-via-Google-Doc trick is interesting. Rotating the payload destination by editing a doc, with no repo commit and no blocked domain? That's genuinely clever operational security for a phishing campaign.
The Function.constructor indirection to dodge SAST is also worth flagging louder. A lot of teams rely on automated scans as a security blanket, and this shows how thin that blanket is against someone who spent five minutes thinking about keyword matching.
One thing I'd add for folks doing contract/freelance work: --ignore-scripts as a default install flag is great advice, but you can enforce it project-wide via .npmrc with ignore-scripts=true. Locks it in so you don't forget on a rushed install.
The "fake job" vector is particularly predatory right now with so many engineers on the market. I'm in that situation myself, actively job searching, and I've had a few suspicious recruiter approaches lately. The Calendly invite as a legitimacy signal is a nice touch on their part, just enough friction to feel real.
Also thanks for documenting this properly. sharing it.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
OMG, this is an absurd by design... the C2-via-Google-Doc trick is interesting. Rotating the payload destination by editing a doc, with no repo commit and no blocked domain? That's genuinely clever operational security for a phishing campaign.
The Function.constructor indirection to dodge SAST is also worth flagging louder. A lot of teams rely on automated scans as a security blanket, and this shows how thin that blanket is against someone who spent five minutes thinking about keyword matching.
One thing I'd add for folks doing contract/freelance work: --ignore-scripts as a default install flag is great advice, but you can enforce it project-wide via .npmrc with ignore-scripts=true. Locks it in so you don't forget on a rushed install.
The "fake job" vector is particularly predatory right now with so many engineers on the market. I'm in that situation myself, actively job searching, and I've had a few suspicious recruiter approaches lately. The Calendly invite as a legitimacy signal is a nice touch on their part, just enough friction to feel real.
Also thanks for documenting this properly. sharing it.