June 15, 2026
LinkedIn, Lies & Malware
A backdoor in a LinkedIn job offer
Fake recruiter, stolen identities, and a job offer that wanted inside your computer
TLDR: A developer says a LinkedIn job pitch led to a fake code review designed to hijack his computer, using stolen identities to seem trustworthy. Commenters were furious that scammers are targeting desperate job seekers, while others joked darkly that downloading stranger-made code is basically unsafe digital dating.
This story hit readers right in the modern worker anxiety: you think you’re chatting with a recruiter about a dream job, and instead you’re being lured into opening the digital equivalent of a stranger’s van. The developer who got the message smelled something fishy, checked the code safely on a throwaway machine, and found a hidden booby trap that would run after a simple install. Even messier? The “recruiter” and a listed developer both appeared to be real people whose identities had been borrowed, which sent the comments straight into outrage mode.
The community response was a mix of fury, gallows humor, and exhausted resignation. One of the loudest themes was job-hunter vulnerability: commenters were furious that scammers are preying on stressed engineers in a brutal hiring market, calling them “the worst of the worst.” Others zoomed out and said this is exactly why the software world keeps getting burned by shady packages and fake job outreach, with some pointing to other big-name victims reportedly targeted through LinkedIn. And yes, the jokes arrived immediately: one commenter compared downloading random scripts to unsafe sex in 1995 and told everyone to “use protection” before putting strangers’ junk in their computers. Crude? Absolutely. Memorable? Also absolutely.
Then came the true-crime angle: people asking why there isn’t a cybercrime version of 911 for this kind of thing. The biggest shared feeling was simple: this isn’t just a scam, it’s organized manipulation, and regular people are being left to fend for themselves.
Key Points
- •A supposed recruiter on LinkedIn sent the author a GitHub repository and asked for help reviewing a deprecated Node modules issue related to a lead engineer role at a small crypto startup.
- •The author inspected the repository in an isolated Hetzner VPS using Pi in read-only mode instead of running it locally.
- •The suspicious file `app/test/index.js` contained code that assembled a remote URL and could execute whatever payload the server returned.
- •The backdoor would be triggered automatically because `app/index.js` required the test file and `npm install` would run the repository’s `prepare` script.
- •The repository commits and recruiter profile appeared to use the identities of real people who were not actually involved, and the author reported the repo to GitHub and the recruiter to LinkedIn.