• Category: Security
  • Status: discussion
  • Sources: grack.com teardown, HN discussion
  • Summary: Matt Mastracci (crates.io maintainer) published a teardown of a fake-VC ("Lua Ventures") job-interview lure delivering a TypeScript "ferry app" repo whose patched typescript dependency ran a staged loader (base64/XOR stub, hidden image chunk, WebAssembly, a detached Node RAT) on execution. He avoided compromise by inspecting the repo with an AI agent before running it. The thread reinforces the recurring developer-targeted fake-recruiter supply-chain vector tracked since the 2026-06-16 npm-backdoor item.
  • Why it matters: Maintainers of high-value package registries remain direct targets of social-engineering supply-chain attacks, and read-only inspection before execution is the practical mitigation.

Send feedback on this story