Top stories
Developer-targeted npm backdoor delivered through a fake LinkedIn job offer
- Category: Security
- Status: confirmed
- Sources: Roman Imankulov write-up, HN discussion
- Summary: In a post dated 2026-06-15, developer Roman Imankulov describes a targeted attack that reached him through a LinkedIn recruiter using a stolen identity, asking him to review a "broken proof-of-concept" repository for a crypto startup. The repository hid a backdoor in
app/test/index.js: about 250 lines dressed up as sloppy beginner test code assembled the URLhttps://rest-icon-handler.store/icons/77and executed arbitrary commands fetched from that remote server. The payload runs automatically onnpm install, because the package's npmpreparelifecycle script invokesnode app/index.js, which requires the malicious test file. The repository's commit history and the recruiter profile both reused real people's identities. Imankulov inspected the project with a read-only AI agent under restricted permissions rather than running it directly. - Comments: HN commenters noted this is now a common way npm maintainers are compromised, citing an earlier LinkedIn-sourced attack on an axios-ecosystem maintainer, and stressed the added risk to job-seeking developers under hiring pressure.
- Why it matters: The npm
preparelifecycle plus annpm installduring code review turns "just look at my repo" into remote code execution, so reviewing unsolicited repositories in an unsandboxed environment is itself the exposure. - Follow-up: Watch for takedown of the
rest-icon-handler.storeinfrastructure and any attribution linking this to the broader fake-recruiter campaign against package maintainers.