A Backdoor Disguised as a Job Offer Targets a Security Engineer
The attack shows how job seekers in tech can be targeted with malicious code disguised as a routine pre-hire review, and that even security-aware engineers can be caught off guard.
Reporting from 1 sources: GIGAZINE.
Full-stack engineer Roman Imankulov was contacted on LinkedIn by someone claiming to recruit for a cryptocurrency startup. The recruiter sent a GitHub repository to review. Imankulov used an AI agent to inspect the code, which found a backdoor that would execute remote code on 'npm install'. The recruiter's profile was stolen from a real art journalist, and the repository's commit history was hijacked from another developer.
In early June 2026, Roman Imankulov received a LinkedIn message from someone claiming to recruit for a small cryptocurrency startup. After a few exchanges, the recruiter sent a GitHub repository and asked him to check a Node module issue. Imankulov, a full-stack engineer, had reviewed code for prospective employers before, but something felt wrong.
He ran an AI agent tool on a disposable virtual private server with instructions to report any suspicious parts. The tool found that the repository contained a backdoor that would execute code from an external server just by running 'npm install'. The repository's commit logs showed signs of real development, but the person whose name was on those commits told Imankulov they had been a victim of a GitHub repository hijacking and did not remember committing to that repo.
The recruiter's LinkedIn profile belonged to a real art journalist who had no background in software technology, yet the recruiter sent technical messages like 'Try installing with npm instead of pnpm.' Imankulov said he was aware of this type of attack but was still caught off guard when it happened to him.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.