1. A Surprising LinkedIn Message
Earlier this week, I received a curious message on LinkedIn from someone claiming to need a React.js and Node.js developer with blockchain expertise. The project sounded routine at first—I’ve completed many similar gigs on reputable freelancing platforms like Upwork. However, something about this offer felt oddly vague and rushed. He gave me a quote of 80$ an hour to do the job.
Pro Tip: When a recruiter or potential client withholds basic project details (timeline, scope, requirements), consider it a red flag.
2. Digging Deeper: Initial Investigation
Determined to learn more, I requested clarity on the scope and requirements. Instead of concrete details, the individual—let’s call him the “Bad Actor”—provided another vague description. My curiosity was at the peak, I performed a quick OSINT (Open Source Intelligence) check on his profile picture. It turned out that his photo actually belonged to someone else on LinkedIn—a clear sign this offer might be malicious.
Despite the suspicious behavior, I wanted to investigate further. I decided to play along and see how this bad actor operated. He then insisted I test his “product” and invited me to a GitHub repository to collaborate.
3. Unearthing the Hidden Backdoor
To avoid compromising my personal system, I set up a secure Azure VM (Virtual Machine) and cloned the repository. On the surface, the project looked like a legitimate crypto-related web app with polished code. But after carefully reviewing the files, I discovered something was way off in the server/router folder, specifically in an auth.js file.
The clever thing he did was hiding a suspicious code within this file, look at the image below, do you see anything suspicious? no? Exactly, that is what i also thought at first glance, nothing seemed unusual—until I scrolled horizontally. Buried in a large block of code was an obfuscated constant. When I asked the bad actor about it, he brushed me off, urging me to “focus on the rocket animation” instead. I pretended to have seen some odd function that i do not understand and if he could explain it. I was expecting him to lie, i was expecting him to feed me some bs, but instead he straight told me to leave the server folder alone and concentrate on the rocket animation 😂
4. Technical Analysis: How the Malicious Code Worked
Determined to uncover the truth, I deobfuscated the constant. What I found was not so good:
- Obfuscation Techniques: The code relied on Base64 encoding and XOR cipher operations to hide its real purpose.
- Node.js Modules Loading: Once decoded, it revealed the use of Node.js modules like
child_process—a key component for executing commands on the victim’s machine. - System Profiling: The malware collected system data (home directory, temp directory, platform details) to identify the compromised environment.
- Multi-Stage Attack:
- Command and Control (C2): It contacted a remote server to send system information and receive instructions.
- Payload Download: It downloaded additional malicious code, wrote it to the file system, and executed it with elevated privileges.
- Persistence Mechanism: A scheduler repeatedly triggered these operations, maintaining remote access even if parts of the malware were detected and removed.
Core Functions & Their Roles
decodeObfuscatedString()/xorDecode(): Hide malicious operations.sendRemoteRequest(): Communicates with a hidden C2 server.processPayload(): Downloads and executes malicious payloads.writeFileAndExecute(): Installs additional code, potentially as root/admin.
5. MITRE ATT&CK Mapping
Below is a quick look at how this backdoor mapps to known MITRE ATT&CK tactics:
| Tactic | Technique ID | Technique Name | Implementation |
|---|---|---|---|
| Initial Access | T1195 | Supply Chain Compromise | Injected malicious code into the auth.js file |
| Execution | T1059.007 | JavaScript/Node.js | Used Node.js to run obfuscated functions |
| Persistence | T1505.003 | Web Shell | Backdoor in a legitimate route handler |
| Defense Evasion | T1027, T1140 | Obfuscated Files | Base64 and XOR to conceal malicious logic |
| Command & Control | T1071.001, T1102 | Web Protocols, Web Service | HTTP traffic to remote server, external C2 communication |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Sent sensitive data to the same channel |
| Impact | T1565.001 | Stored Data Manipulation | Modified filesystem data, risking credential theft |
6. Confronting the Bad Actor and Final Thoughts
Finally, after spending a full day debugging code, deobfuscating suspicious scripts, and testing everything in secure virtual environments, I decided to confront the bad actor behind this malicious job offer. Unsurprisingly, he never replied. My bigger concern is that he could be targeting other developers who may not be aware of these red flags.
Malicious job offers can be extremely convincing, especially for developers looking for exciting projects or quick gigs. By staying vigilant—verifying identities, inspecting code thoroughly, and using secure testing environments—you can protect both your work and your reputation from harm.
Stay Vigilant: Never rush to execute unfamiliar code on your personal machine. Always take time to review and debug it in a safe testing environment (like a VM or sandbox). This bad actor’s malicious code was deeply hidden—exactly the sort of trap that’s easy to miss when you’re eager to land a paying gig.
Report Suspicious Profiles: If you encounter questionable recruiters or malicious job postings, mass-report them to protect others in the community. By staying alert and sharing our discoveries, we can help ensure that aspiring developers remain safe from hidden threats.
Remember: A little skepticism goes a long way in safeguarding against cybersecurity threats.
Resourced In This Article
I will share the repository i analyzed, but please do not run it in your machine, you are warned!
Found this article helpful? Share it with fellow developers and friends!
Click HERE To Subscribe To Our News Letter