TechEcho

Something similar happened to me: got a job offer many months ago from someone on LinkedIn that I don't know... though these things happen a lot. My title back then had web3 and Solidity developer in the name. He sent me the link to a Git repo for an NFT marketplace, a simple React app. He told me that the previous dev quit and someone needs to complete the unfinished project. I downloaded the code but opened in a VM, which turned out to be one of the best decisions of my life without even realizing it.<p>When I ran the app some parts seemed broken as expected everything was otherwise normal. He then asked me that whether I'm running in a VM or not and some features wouldn't work in a VM and I should have ran on my actual computer. It was an immediate red flag (why would a React app need that?). I checked running processes on the VM and saw a Python instance. When I examined the opened files it pointed to a suspicious file, and it was a fresh VM and nothing in the project setup needs Python for anything. Then I zipped the project, sent it to ChatGPT and asked about malware, and it found a totally obfuscated dev-targetting malware-downloading script disguised as error handler middleware. If I ran it on my machine, it could have stolen at least a thousand bucks from my local crypto wallets: I checked the payload code via HTTP interception and realized that the script sends any private keys for crypto wallets to its own server, and I'd never be sure of my system again anyway.<p>I've warned the hosting company (though it seemed like a very cheap and sketchy one anyway), and I found out that the person on LinkedIn has blocked me in the meantime.<p>These are very real threats, be careful.

New 'OtterCookie' malware used to backdoor devs in fake job offers

2 comments