Twice today I've been invited to online meetings, where I've been asked to download a github repo containing a node.js project, open a terminal and run npm i.
This installs malware which steals all your browser logins, passwords, ssh keys, and who knows what else.
Both interviews had the following similarities:
- name doesn't check out on LinkedIn
- invite comes from a random gmail address
- no email/linkedin introduction
- the interviewer says they're looking for [frac CTO], for a crypto gaming company
- they go into detail about the company, even showing a Figma of the app/backend architecture
- ask for me to give my work history
- THEN "can you share your screen, and we can go through the project source together"
That's when alarm bells ring. Luckily I have a new laptop that I've yet to install node on, so scammer #1 failed. Second one I was on my old macbook, which did have node on, and I got as far as npm i before I smelled a rat.
Now I'm changing all my passwords, logins, ssh keys, github keys and wiping the macbook. A fun weekend ahead!
Stay safe, there's a multitude of bastards out there.