Forem: Michael M

I Was Given a “Job Assignment” That Installed Malware

Michael M — Mon, 10 Nov 2025 20:56:51 +0000

Here’s What Happened and What I Did To Handle It

A few days ago, a supposed recruiter contacted me on LinkedIn for a “Web3 Full Stack Developer” role. Everything seemed normal; the messages were professional, the challenge looked legit, and they shared a Bitbucket link to a Node.js project for a take-home assignment.
The PDF instructions looked like a typical coding test:
Add wallet connection functionality

Build a simple Notes CRUD API
Show a demo video via Loom
Nothing suspicious; until I ran npm install.

What Happened After Running `npm install`

Almost instantly, I noticed abnormal activity:

Multiple Node processes started in the background
nethogs showed outbound traffic even after closing my terminal
CPU usage from /home/michael/Development/poc_v2394 kept increasing
A script named mainThreadFallback.js was loaded unexpectedly

After digging deeper, I discovered a malicious script that was quietly searching for sensitive files like .env, SSH keys, and browser tokens….. then attempting to exfiltrate them to a remote cloud server.

It mimicked legitimate dependencies but ran post-install hooks through a hidden script, making it look like part of the build process.
Once confirmed, I immediately isolated the directory, stopped all related Node processes, and scanned for lingering connections using:

sudo ss -tnp
ps -ef | grep node

Every malicious PID was tied to that project path.

What I Did Next

Killed every suspicious process: pkill -f poc_v2394
Removed the infected folder entirely.
Revoked and regenerated SSH keys (both personal and server-side).
Reset tokens from GitHub, servers, and cloud services.
Audited network connections (ss, lsof, netstat,nethogs ) for hidden Node instances.
Cleaned global npm cache and removed possible global infections: npm cache clean --force & sudo rm -rf ~/.npm ~/.cache
Rebooted and verified all background processes

What do you think? Should I have take more, additional steps?

Aftermath

When I told the “recruiter” that his project contained malware, he immediately blocked me. That was the final confirmation that it was bad news.

The assignment was nothing but a social engineering trap targeting devs; hiding data-stealing malware inside a fake “job challenge.” While not uncommon especially considering the uptick of DPRK driven exploits, this seemed to have caught me off guard.

It was a modern, targeted attack on engineers who trust shared repositories from supposed employers.

Lessons for Developers

Never run npm install blindly on code you didn’t verify.
Always inspect package.json and look for suspicious postinstall scripts.
Use --ignore-scripts flag on unknown projects

What else did I learn?

Dark Times Ahead!!!

This was a targeted exploitation of developer trust. Recruitment scams are very present and evolving: instead of phishing emails, they now use take-home tests to infect machines and extract credentials. And LinkedIn is their breeding ground.

If you’re a developer, stay paranoid, sandbox unknown projects, and never trust code just because it came from a “recruiter.”

The Art of Growing a Small Development Team: Lessons Learned

Michael M — Mon, 10 Jun 2024 14:00:09 +0000

As a tiny web dev team with just the two of us, we recently had to deal with the fun challenge of finding a new teamie. This whole deal really made us realize that throwing a bunch of new people into the mix right away isn't always the best move. It's like everyone thinks, "more peeps, less work, yay!" But, in reality, it can totally backfire.

The thing is, when you go on a hiring spree and add a bunch of new folks too quickly, you're actually setting yourself up for more drama than a reality TV show. You've got more bureaucracy, a higher chance of miscommunication, and everyone leaning on each other like we're playing a giant game of Jenga. This can lead to projects turning into a hot mess and deadlines going out the window.

Onboarding and getting everyone up to speed is obviously important, but it's not just about teaching the newbies the ropes. You've gotta make sure everyone's got their own stuff to do, so it's fair and the work gets done right. If you don't, you'll have some peeps bored out of their minds and others drowning in work, which is a total no-go for team vibes.

For us, the struggle was real because I was basically the only one who could handle the training gig. My buddy, bless their heart, wasn't quite up to the task, which meant I had to juggle it all. This isn't ideal, because it puts a lot of pressure on me and might not give the new folks the best start.

So, trying to get a bunch of new hires up and running at the same time, especially with the situation we had, is like trying to solve a Rubik's Cube blindfolded. It's way better to add just one new person at a time, get them all cozy and confident, and then let them help out with the next round of newbies. That way, everyone learns and grows together, and you don't end up with any weak links in the chain.

Companies get all excited about growing super fast and hiring a ton of people, but that's like trying to build a house without a blueprint. It's bound to fall apart. What you really wanna do is take it slow, hire one dev at a time, and make sure they're fully ready to rock before you bring in the next one. That way, you build a solid team that actually works well together.

In the end, it's not about adding a bunch of bodies to the team as quickly as you can. It's about growing in a way that makes everyone stronger, smarter, and ready to tackle whatever comes next. Each new person should be like a Lego block that fits just right and helps build a cooler castle. Do it carefully, and you'll end up with a team that's unstoppable.

Why Core Knowledge in HTML, CSS, JavaScript, and PHP is Timeless

Michael M — Fri, 07 Jun 2024 08:32:44 +0000

Web development, man, it's like it's on some kind of fast-forward button! New stuff pops up all the time, saying it'll make our lives easier and work smoother. But here's the thing: there's a big difference between hopping on the latest bandwagon and really knowing your stuff when it comes to the tech that makes the internet tick. So, let me tell you a story about this developer buddy of mine, John. His career had some serious ups and downs because of this whole framework deal.

John, he started out hot. Straight out of college, he scored a sweet gig at a big tech place. He knew this one framework like the back of his hand, and he was whipping out killer web apps like nobody's business. Dude was on fire, and he knew it.

But time goes by, and tech changes faster than fashion trends. Those new frameworks come along, and suddenly the one John was all about isn't the cool kid anymore. The thing is, these new toys need you to get down with the nitty-gritty – HTML, CSS, JavaScript, PHP – all the stuff that's like the internet's building blocks. And John? He never really got that deep into it.

So now, the company's got these young bucks coming in, and they're like sponges with these new frameworks because they actually get the core stuff. John's stuck trying to keep up, and let's just say it's not pretty. His mojo's gone because he's trying to use tools he doesn't really understand.

Fast forward to now, and John's still there, but he's not the big shot anymore. His workmates respect his OG status, but they feel bad because he's stuck in the slow lane of tech. And it's all because he didn't wanna learn the boring stuff everyone thought was old news.

So if you're in the game or looking to hire someone, take a page out of John's book, but learn from his mistakes. You wanna be the developer that's versatile, not the one who's left in the dust. Frameworks are cool, like the latest gadgets, but if you don't get the basics, you're gonna struggle when the next big thing hits.

I've seen it with job seekers, too. They come in all flashy with their framework skills, but when it comes to the real McCoy – the stuff that actually makes the internet work – they're lost. The ones who get it, who can ride the wave of change because they know their HTML from their elbow, they're the ones that shine.

So the moral of the story? If you're starting out in web dev or you're the boss man looking for fresh talent, remember John. Spend some quality time with the core tech – HTML, CSS, JavaScript, PHP – it's like your bread and butter. That way, you'll always be ready for whatever the tech world throws at you.

And don't be John, you know? Get those basics down pat, and you'll be set for life. Frameworks are fun, but they're like fads. Knowledge of the core stuff? That's your golden ticket, buddy. It's what keeps you ahead of the game, no matter what.

Learn HTML,CSS and JavaScript, This knowledge will never get stale,Unlike frameworks.

Michael M — Sun, 28 Oct 2018 13:42:15 +0000