• Category: Security
  • Status: confirmed
  • Sources: Roman Imankulov write-up, HN discussion
  • Summary: In a post dated 2026-06-15, developer Roman Imankulov describes a targeted attack that reached him through a LinkedIn recruiter using a stolen identity, asking him to review a "broken proof-of-concept" repository for a crypto startup. The repository hid a backdoor in app/test/index.js: about 250 lines dressed up as sloppy beginner test code assembled the URL https://rest-icon-handler.store/icons/77 and executed arbitrary commands fetched from that remote server. The payload runs automatically on npm install, because the package's npm prepare lifecycle script invokes node app/index.js, which requires the malicious test file. The repository's commit history and the recruiter profile both reused real people's identities. Imankulov inspected the project with a read-only AI agent under restricted permissions rather than running it directly.
  • Comments: HN commenters noted this is now a common way npm maintainers are compromised, citing an earlier LinkedIn-sourced attack on an axios-ecosystem maintainer, and stressed the added risk to job-seeking developers under hiring pressure.
  • Why it matters: The npm prepare lifecycle plus an npm install during code review turns "just look at my repo" into remote code execution, so reviewing unsolicited repositories in an unsandboxed environment is itself the exposure.
  • Follow-up: Watch for takedown of the rest-icon-handler.store infrastructure and any attribution linking this to the broader fake-recruiter campaign against package maintainers.

Send feedback on this story