Ask HN: Are they trying to hack me?

3•dgrcode•1mo ago

I'm in the middle of an interaction that has raised a few red flags, and at this point I'm confident this is part of hacking attempt. But I thought asking here could give me a better perspective from an outsider. Here is the sequence of events:

Someone reaches out in Linkedin claiming to have full time and part time roles that match my profile. I say I could be interested in part time work and they immediately reply that there's a 4k monthly salary offer for 15-20 hours per week.

I reply that's half my hourly rate and they reply the client is almost willing to accept but wants to meet with me first. 1st red flag: no problem with doubling the offer

I accept and book a time with their technical person. 2nd red flag: the calendar had pretty much full availability

They tell me to complete a task before the meeting and provide a Microsoft Teams chat with someone from their team to talk about the task.

The person in the chat sends me screenshot of two issues. I ask if they have the code in github, to which they replied "github?". 3rd red flag

Then the same parson sends me a zip file and ask about my node version. 4th red flag

At this point I'm already suspicious and not willing to run that code on my machine. I get a fresh linux install on an old machine and download the code. I asked Cursor to find anything suspicious, and the only thing was a dependency mismatch between package.json and package-lock.json. I check the package present in package-lock, `json-map-source`, which is marked as a malicious package on https://security.snyk.io/package/npm/json-map-source. This package was removed from npm 18 days ago. Big red flag.

I check what's npm's resolution of that mismatch, and I find it would install `json-mappings`. I check on npm this package was created 18 days ago, and the first and only version is 2.3.8, which happens to be the same version flagged as malicious for the package `json-map-source`. Massive red flag

Furthermore, the package is not on git, it's uploaded by a throwaway email, and the README that is shown in npm list the yarn install command as `yarn add json-map-source` (the malicious package). In the code the package is just loaded and passed as middleware to an express app. The package has `sqlite3` as native dependency, which compiles native code.

As I'm writing this message I really don't see how this could be something other than a hack attempt, but I'd love to have someone else's input on this. Especially from people more knowledgeable about security than me, which is easy.

Thanks!

Comments

uyzstvqs•1mo ago

Yes, found the malware in json-mappings. /lib/const.js contains DEV_API_KEY, which is a base64 encoded URL to the actual malware, hosted on an external service. This variable gets used by /lib/caller.js to download and run it. The rest of the project is just copied from pinojs/pino.

dgrcode•1mo ago

Thanks a lot for investigating this further. I'll write a cleaner blog post to alert other potential victims. From the package downloads they're hacking around 200 people per week, just with `json-mappings`. I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.

reliefcrew•1mo ago

Maybe finding this out was the point of the task? IOW, part of the interview... if you find the exploit you pass, if not fail.

Just theorizing.

uyzstvqs•1mo ago

Just quickly deobfuscated the payload as well (this is fun). It's a cross-platform infostealer that would've taken your browser cookies, saved passwords, clipboard, and different files including crypto wallets, documents and images.

Their C2 is 144.172.115[.]116 (RouterHosting LLC / Cloudzy in Utah, USA) on ports 8085-8087 over HTTP and WebSockets.

Relevant: https://www.securityweek.com/iran-run-isp-cloudzy-caught-sup...

> I've definitely would have fallen myself if it wasn't for the few red flags they didn't even try to avoid.

Always use a VM for this kind of stuff, even if you're interviewing at Google. More advanced threat actors could also fake Github stars or NPM downloads, or even use a hijacked dependency that used to be legitimate.

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models

Ed Zitron: The Hater's Guide to Microsoft

UK infants ill after drinking contaminated baby formula of Nestle and Danone

Show HN: Android-based audio player for seniors – Homer Audio Player