Hacker News
Crates.io maintainer dissects a fake-recruiter supply-chain lure
- Category: Security
- Status: discussion
- Sources: grack.com teardown, HN discussion
- Summary: Matt Mastracci (crates.io maintainer) published a teardown of a fake-VC ("Lua Ventures") job-interview lure delivering a TypeScript "ferry app" repo whose patched typescript dependency ran a staged loader (base64/XOR stub, hidden image chunk, WebAssembly, a detached Node RAT) on execution. He avoided compromise by inspecting the repo with an AI agent before running it. The thread reinforces the recurring developer-targeted fake-recruiter supply-chain vector tracked since the 2026-06-16 npm-backdoor item.
- Why it matters: Maintainers of high-value package registries remain direct targets of social-engineering supply-chain attacks, and read-only inspection before execution is the practical mitigation.