news.volyx.in

A backdoor in a LinkedIn job offer (roman.pt)

1614 points by lwhsiao · 26 days ago · 304 comments on HN

Article summary

A developer received a LinkedIn message from a recruiter with a job offer and a request to review a GitHub repository. The developer discovered a backdoor in the repository that could execute arbitrary code on the reviewer's machine. The backdoor was disguised as a test suite and was triggered by running npm install. The developer reported the repository to GitHub and the recruiter to LinkedIn.

Main themes

  • Job offer scams
  • GitHub repository security
  • Social engineering
  • Cybercrime reporting
  • Developer security hygiene

What commenters say

  • The lack of a centralized agency to report cybercrime makes it difficult to take action against scammers.
  • Tech companies should be held responsible for preventing and responding to cybercrime on their platforms.
  • A global '911' for cybercrime is needed to provide a unified response to these types of threats.
  • Some commenters believe that the US would not extradite citizens who hack into foreign systems, even if it's illegal.
  • Others argue that the effort required to catch and prosecute scammers is disproportionate to the ease of spinning up a scam.
  • There is a need for better support networks and resources for victims of cybercrime.
  • Some commenters think that banning US platforms in other countries could be an effective way to force them to take action against cybercrime.
  • Others argue that this approach would be ineffective and could lead to unintended consequences.