Security
Developer-targeted RAT delivered through a fake VC job interview
- Category: Security
- Status: discussion
- Sources: write-up, discussion
- Summary: Matt Mastracci, a crates.io package maintainer, published an analysis on 2026-06-25 of a targeted attack that reached him through a fake venture-capital firm ("Lua Ventures") offering advisory work, backed by a fabricated LinkedIn persona and shell company sites. The payload was a TypeScript "ferry app" repository whose
typescript@5.9.2patch file carried a base64, XOR-encrypted stub that runs when TypeScript executes. A multi-stage loader reads a hidden chunk from an image file, runs embedded WebAssembly, then spawns a detached Node process delivering a RAT ("PinpinRAT") with file exfiltration, arbitrary command execution, environment-variable dumping, and DNS tunneling, with a C2 at 89.124.107.161. The attack failed because the author inspected the repository structure with AI before running it rather than executing the code. - Why it matters: It is another concrete instance of the fake-recruiter, developer-targeted supply-chain vector seen in the 2026-06-15 npm LinkedIn backdoor, with a fuller technical teardown of the staged loader and persistence.