Frontend Developer Valentin Oliynyk received an offer to work on a healthcare project with artificial intelligence integration. Everything looked “innocent” until it came to the project’s GitHub repository. What did the developer discover after his little investigation?
Frontend Developer Valentin Oliynyk received an offer to work on a healthcare project with artificial intelligence integration. Everything looked “innocent” until it came to the project’s GitHub repository. What did the developer discover after his little investigation?
"It all started innocently: he is a promising Canadian with a promising project. He has 800+ contacts, a profile from 2010, constant posts about the same company. Moreover, the posts are really stable and there are even 4-year-old ones about the company he currently works for. He says there is a project in healthcare with the integration of artificial intelligence. He asked about my CV and what I worked with. Then he asked for GitHub to share the project's rap. And here, unfortunately, the innocence begins to end," wrote Valentyn Oliynyk on LinkedIn.
As the developer explained, the project was on Next with front and backend, authorization via JWT, Google Gemini integration, the project has 70 scripts and React components.
"Interestingly: the project was flooded with one commit 7 months ago... I asked the esteemed gentleman why that was. To which he replied: "It turned out that the programmer didn't know Git."
The fact that the programmer wrote the frontend and authorization but didn't know Git made the developer suspicious, so he decided to check everything out.
The Canadian's photo on LinkedIn was of poor quality and natural, so nothing could be found using Google. Then Valentin simply Googled the name, and it turned out that it was very similar to the French artist Jean-François Millet. The only difference is that the Canadian's last name is Millot.
Before starting to search the code for the magic words of all "crazy hackers", namely Function.constructor, the developer found the cities.js file, which has something that could potentially harm the computer.
The screenshot above shows the verifyToken function, which:
Valentin didn't click on that URL, so he only made an assumption about what might happen next.
“If the link returns an error code, then we get into the catch. With the error code, most likely, text comes, that is, potentially dangerous JS code. Which from a line is converted into full-fledged code. And all this code is assigned to the errorHandler variable, converted into a function. Calling this code with passing require to it to import any modules and then using, for example, the fs module against my system. Well, on line 58 this function is called, that is, when the project is started and this cities.js file is loaded, the attack will begin. ", - explains the developer.
Out of caution, Valentin did not launch this project in Docker, and did not "fetch info from this link aka locationToken."
Previously, we reported on a new scheme of LinkedIn recruiting scammers that developer Valeria Muntyan came across.
