| ▲ | wxw 6 hours ago |
| > a recruiter at a small crypto startup [...] she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.” > ...buried between walls of commented-out tests, the payload runs anything the server sends back to your machine. > npm runs prepare automatically after npm install, so just installing dependencies executes the backdoor. > The instruction to “check out the deprecated Node modules issue” was bait to get me to run npm install. Great catch. I've not been phished on LinkedIn before. Surprised it's getting this bad. |
|
| ▲ | pants2 5 hours ago | parent | next [-] |
| LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile. We've had fake recruiters that claim to work for us running basically the same scam. These are great fake profiles: LinkedIn Premium, tons of relevant posts, etc... but they don't work for us, and we get angry messages from people saying our recruiter tried to scam them. No, they're not our recruiter despite showing up on our company page on LinkedIn. No number of reports could get them taken down. I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn, but not all startups have that connection! |
| |
| ▲ | tweetle_beetle 5 hours ago | parent | next [-] | | LinkedIn didn't even disavow people pretending to work for LinkedIn until someone had too much fun with it - https://chrisduffycomedy.com/blog/2016/11/2/6-months-as-the-... | | | |
| ▲ | sensanaty 5 hours ago | parent | prev | next [-] | | My last 2 companies, LinkedIn asked me to add an email address associated with the said company and actually confirm via said email in order to add them to my profile. So, if I worked for FooCompany, I had to have a @FooCompany.com email which is setup by someone at the company itself. Does this not cover what you're talking about? | | |
| ▲ | pants2 4 hours ago | parent | next [-] | | According to my research, LinkedIn only does this for executive and now recruiter-like titles, but not broadly. You may be able to in order to get "verified on LinkedIn" but it's not a requirement for showing association with a company. https://www.theverge.com/news/771210/linkedin-recruiter-exec... | | | |
| ▲ | 3abiton 3 hours ago | parent | prev [-] | | I have the same. The difference is, if you do email verification, you will "verified" status. If not, you can still add the company to your linkedin, just unverified, which is not a label. |
| |
| ▲ | prawn 14 minutes ago | parent | prev | next [-] | | How does that not become a legal issue? | |
| ▲ | ChrisMarshallNY 2 hours ago | parent | prev | next [-] | | > LinkedIn offers no way for $company to disavow users who claim to work for $company - they will appear on the official company page as long as it's in their profile. I remember getting an office manager, working from Dubai (I think), for my one-person, basically nonexistent company, working from my living room, in New York. She may still be there. I never bother checking into LI, except making an occasional post, every few months. | |
| ▲ | 5 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | cbm-vic-20 2 hours ago | parent | prev | next [-] | | I was looking for people who I had worked with at a company that was acquired 15 years ago, and some random person claims to be the CEO of that company. | |
| ▲ | underlipton 4 hours ago | parent | prev | next [-] | | >I finally got it solved by buying drinks for a buddy of mine that works for LinkedIn I'd like people to understand that this is a form of corruption. We've normalized many like it. LI knows that the only way to force them to fix the issue is to go through a drawn-out legal process, save a spate of bad press (RIP 60 Minutes), so of course they won't. | | |
| ▲ | jrockway an hour ago | parent | next [-] | | I agree with you. I used to work for an ISP that sold kind-of overpriced 1Gbps connections and always wondered why customers bought it. Probably helping things was that we took them out to "events", floor seats at basketball, etc. The company just has a fixed expense, but the people making the decision get free stuff that makes them feel important, and it was kind of a way of transferring the company's money (by not buying the $29/month Internet connection) to themselves. I never felt good about it, but if you say that out loud, everyone will look at you like you're crazy. AWS did this for us at the time but the 3 people in the company that used AWS services never got to go to these things. So I doubly don't get it. | |
| ▲ | bit-anarchist 2 hours ago | parent | prev | next [-] | | And I'd like people to understand that, legally, corruption necessarily envolves the government. Informally, corruption has been applied to any type of bureaucracy but, even then, an exchange of favors itself isn't corruption, only if an unauthorized deviation from the involved agent's role happens. Not that relying on this is a good idea. | | |
| ▲ | lazide 2 hours ago | parent [-] | | Bwahaha, no it doesn’t. Legally ‘corruption’ doesn’t exist, as in there is no single law saying ‘corruption is illegal’. (What is ‘corruption’ exactly?) There are laws against bribery, which does generally only apply to the government, but in many locations applies to pseudo-government roles like notaries, apostiloes, lawyers, etc. There are laws against embezzlement (a type of corruption), and those definitely apply to private individuals. There are laws against insider trading, a type of corruption. Those generally only apply to businesses/private folks, not the government, with some exceptions. Then there is the various kinds of fraud, blackmail, etc. Most people would consider them corruption too. Those apply to private individuals and government agents too. And many more. It’s a smorgasbord. |
| |
| ▲ | sublinear 4 hours ago | parent | prev [-] | | [flagged] |
| |
| ▲ | throwaway7783 4 hours ago | parent | prev [-] | | LinkedIn doesn't have any redressal mechanisms for anything. Someone I knew went through a lot of abuse by a LI user and kept making new accounts to harass. LinkedIn's response - "We did not find anything that violates our ToC". No wonder it has become a cesspool of spam, fraud and abusers. |
|
|
| ▲ | gleenn 6 hours ago | parent | prev | next [-] |
| Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop. Edit: typos |
| |
| ▲ | afpx 5 hours ago | parent | next [-] | | Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently. | | |
| ▲ | jjice 5 hours ago | parent | next [-] | | They have some changes here in v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-c... | | | |
| ▲ | sheept 4 hours ago | parent | prev | next [-] | | Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading. | | |
| ▲ | evilduck 2 hours ago | parent [-] | | This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm? | | |
| ▲ | sheept 2 hours ago | parent [-] | | People will not adopt a safer version if it broke their workflows. Adoption is part of preventing supply chain attacks. |
|
| |
| ▲ | 2 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | winddude 5 hours ago | parent | prev | next [-] | | > Friends don't let friends ise NPM or linkedin | | |
| ▲ | jzig 5 hours ago | parent [-] | | I don't have friends, therefore I must use LinkedIn to get a job. Hooray! |
| |
| ▲ | nijave 3 hours ago | parent | prev | next [-] | | >These tools with arbitrary code execution when trying to download some code have got to stop But you still end up with the code on your machine and risk it being ran. Bigger issue is giant, inscrutible dependency trees. In this example, if they tried to run the test suite or application, they'd have been in the same boat. Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things. | | | |
| ▲ | 0x20cowboy 3 hours ago | parent | prev | next [-] | | I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now. All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised) | | | |
| ▲ | 5 hours ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | mhitza 5 hours ago | parent | prev | next [-] |
| Things like this where a tried and tested method on Upwork, particularly in the 2021-2022 crypto/nft highs. At some point they branched out from crypto projects and cast a wide net across different categories. Last I recall was a download of a windows scr (screensaver masquerading) file. Linkedin is a new low, and I'm sure the platform doesn't really care (look, more jobs), just as ad network companies (Google, Meta) don't really care about scam ads. |
| |
| ▲ | democracy 3 hours ago | parent [-] | | I reported a fake costco website ad (cc harvester) to Google, their response was something along "we cannot verify the ad", go figure |
|
|
| ▲ | firefax 5 hours ago | parent | prev | next [-] |
| I've had people phish for my email then hit that with some bullshitpowershellladendoucument.pdf.docx crap, but sending it directly in the IM? Bold strategy cotton, let's see if it pays off. |
|
| ▲ | 2 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | burnte 6 hours ago | parent | prev | next [-] |
| I haven't been phished like this but I've certainly had fraudsters try to con me into meetings or schemes, etc. |
|
| ▲ | coip an hour ago | parent | prev | next [-] |
| It’s been this bad for a little while, iirc have seen a few of these pop up over the last few years. And that’s just for the few someone’s caught/documented |
|
| ▲ | quietsegfault 2 hours ago | parent | prev | next [-] |
| I recently went through an interview—o-thon and got a couple obvious scammers. I hope it’s because it’s more prevalent, and not because I seem stupid enough to fall for it! |
|
| ▲ | citizenpaul 4 hours ago | parent | prev | next [-] |
| I'm not. I call it identitythiefresourcecenter.com or its shorter name freecriminalresource.com I hate how normalized it became for "HR" to require you having a LI page for a job. I don't think its as bad now but for a while it was essentially not possible to get a job without putting all your personal info on linkedin. |
|
| ▲ | cyanydeez 6 hours ago | parent | prev [-] |
| surprise is unwarranted as linkedin enshittifies. This type of thing is exactly what happens when neither the user of the service, nor the third party commercial interests are being served by the commercial enterprise. It's a vacuum that scams enter into. |
| |
| ▲ | bee_rider an hour ago | parent [-] | | LinkedIn is unusually resistant to enshitification; it started that way. |
|
