A fake recruiter sent Roman Imankulov a GitHub repo with a hidden npm hook. He cloned it on a Hetzner VPS, ran Codex with no write access, and avoided code that could have executed an attacker's payload.
Roman Imankulov avoided a developer workstation compromise after a fake recruiter sent him a GitHub repository with a backdoor in a routine npm install path.
The attacker posed as a recruiter from a small crypto startup and contacted Imankulov through LinkedIn, Thomas Claburn of The Register reported Tuesday. She asked him to inspect proof-of-concept code and fix an issue with a deprecated Node module. Imankulov distrusted the request because he had heard about job-interview attacks against developers.
He cloned the repository on a Hetzner VPS and asked his Pi coding agent, running Codex, to inspect the code with no write access. He expected a bland review. He got a warning to walk away.
He saw Codex point to app/test/index.js, a file that looked like a rough test setup. The attacker used that file to assemble a server URL from fragments and send a network request. The attacker could use the remote server to send code back to the machine that ran the script.
Imankulov said he had skimmed the file and missed the trap. He thought the code looked messy enough to fit the recruiter's story. He then saw the agent identify the risk in the same file he had dismissed.
The attacker put a prepare hook in package.json, so a developer who ran npm install could have triggered the script during setup. You run npm install and ask npm to process lifecycle hooks such as prepare, preinstall, install, and postinstall. The npm team documents that model in its package scripts guide.
The attacker used a normal developer habit as the entry point. A job candidate gets a repo, opens a terminal, installs packages and tries to reproduce the bug. That sequence gives an attacker a path to SSH keys, cloud tokens, package credentials and source code access before the candidate joins a company.
GitHub removed or hid the malicious repository after Imankulov complained, The Register reported. Researchers can still find a clone. Imankulov also contacted the developer whose name and public work appeared to support the repo. The developer told him impostors had used his identity on GitHub before.
The LinkedIn profile behind the outreach pointed to a real arts journalist, but Imankulov believed the recruiter profile used a fake identity. His exchange with the recruiter showed more technical knowledge than the public work history suggested.
Claburn cited LinkedIn figures that show the scale of the account problem. LinkedIn restricted 386,000 accounts after user reports from January through June 2025, up from 266,000 in the prior six months and 86,000 from January through June 2021.
Legal exposure
Imankulov kept the code off his workstation, so no regulator has announced a breach notice, GDPR fine, or CCPA penalty tied to this incident. The compliance risk changes when an attacker reaches a work machine that stores customer data access, production secrets or internal repository tokens.
European organizations that process personal data face duties under GDPR Article 32 to maintain security measures that fit the risk, including controls for confidentiality, integrity, resilience and security testing. A developer endpoint with live credentials can sit inside that risk model because an attacker can use it to reach systems that process personal data.
GDPR Article 83 gives regulators room to impose fines tied to the facts of the case. The top tier can reach 20 million euros or 4% of annual global turnover, whichever figure runs higher, under Article 83. A company that lets attackers reach personal data through weak endpoint controls may need to explain its workstation isolation, token scope, access review and incident response records.
California's CCPA guidance gives consumers a narrower private claim after some data breaches. A consumer can sue when a thief steals nonencrypted and nonredacted personal information after a business fails to maintain reasonable security procedures and practices. The statutory damages can reach $750 per incident. The attorney general or the California Privacy Protection Agency can take action for other CCPA violations.
The affected parties extend past the developer who receives the lure. The impersonated developer loses reputation. The hiring target risks personal devices and accounts. The target's employer risks code, credentials and customer data if the developer uses a work machine or shared secrets. Users bear the privacy harm if an attacker turns that access into data theft.
npm 12 and install-script control
The Register reported that GitHub, which maintains npm, plans to change npm install behavior in npm 12. The planned allowScripts default would block dependency preinstall, install, and postinstall scripts unless a project permits them.
GitHub product manager Leo Balter described install-time lifecycle scripts as a major code-execution surface in the npm ecosystem, according to the report. The concern comes from transitive dependencies. A developer may trust a top-level package, but one package far down the tree can still run code on a laptop or CI runner during install.
Imankulov said he had moved to pnpm for personal safety because he wanted install scripts off by default. Teams can also use containers, cloud workstations, throwaway VMs and package-manager settings that require review before scripts run.
Controls developers can use now
Security teams should treat outside repositories like hostile attachments. Recruiter code, take-home tasks and bug repros deserve the same isolation as malware samples when a stranger sends them to an engineer.
Developers can inspect package.json before install, search for lifecycle hooks and run code in a VM with no host secrets. They can deny network access during first review or watch for unexpected outbound requests from test files. They should use short-lived tokens and scope credentials so one laptop compromise does not grant broad access.
Managers should give engineers a sanctioned place to test untrusted code. A secure cloud workstation or disposable container reduces the chance that a candidate or employee will improvise on a personal laptop. The company should log outbound connections, rotate exposed tokens after a scare and document the controls for GDPR and CCPA response.
AI review adds value when a developer constrains it. Imankulov did not ask an agent to run the repo. He asked it to read. That choice kept the attack path closed and gave him a second set of eyes on code that exploited a familiar habit.
Comments
Please log in or register to join the discussion