Senior Frontend Developer Daniil Litvak encountered a scammer who offered to complete and install a project. However, the developer discovered something interesting in the code.
Senior Frontend Developer Daniil Litvak encountered a scammer who offered to complete and install a project. However, the developer discovered something interesting in the code.
«Just had an experience with a scammer. Never install projects, no matter how good the story or the promised hourly rate. Mr. Richard Goldberg wrote to me with a very interesting proposal. First, I was surprised that he immediately sent a link to the project on GitHub. I looked at it, and it seemed that nothing needed to be installed — everything looked clear from the code. The project looked like it was June’s final assignment after the courses. But I never install projects on the main system that I am not sure about. The proposal really looked interesting. So I decided to check it out. I found very interesting code outside the working visibility zone. I don’t have time to understand it in detail, but I am sure that it will not lead to anything good,» the specialist noted and showed the correspondence with the interlocutor.
«At first, I focused on the dependencies needed for the project. I compared libraries that were familiar to me, even just by name. It didn’t take much time, but it was interesting. Then I checked the scripts that were executed in package.json, and at first I didn’t notice anything. However, after looking at the scripts more carefully a second time, I noticed a horizontal scroll bar. Years of working on the layout of HTML sites, especially for mobile devices, must have trained my eye to notice the scroll bar, which used to annoy me so much,» Litvak said about the way to detect suspicious elements.
After the developer explained that he would not install the proposed project on the main server for security reasons, the interlocutor disappeared.
Similar schemes, AIT experts note, are not uncommon.
Tech lead Vitaly Popov had a similar case. «I had a similar case, the repo provided was on Bitbucket. So consider Bitbucket as a negative signal. I launched the project on a VM, and it had a very simple design,» the specialist noted.
«I recently read a similar story from a foreign developer, but during the interview, they deployed the project, and he noticed some hidden oddities that were collecting data from the machine. Something like that. So, probably, this type of fraud is now gaining popularity. You have to be careful,» noted recruiter Oleksandra Mukomel.
By the way, Daniel’s LinkedIn profile is currently blocked. The developer is calling for strikes on GitHub as well.
Experts generally recommend using virtual machine technology to familiarize yourself with unknown projects. More comments here .
