Developer finds backdoor hidden in GitHub repo sent through LinkedIn crypto startup recruiting pitch

A developer says a recruiter for a small crypto startup sent him a GitHub repo to review, but he found a hidden payload disguised as a Node test file. The code assembled a remote URL and would execute whatever the server returned, triggered automatically via npm’s prepare script during setup.

The incident highlights how fake recruiting workflows are being used as a malware delivery channel, especially in crypto and developer-heavy communities. It also underscores the value of sandboxing unfamiliar code and treating dependency installation as a high-risk action, not a routine step.