Developer Nearly Falls for LinkedIn Social Engineering Attack, AI Agent Catches Backdoor in Fake npm Repo
A Python developer narrowly avoided a supply-chain attack after an AI coding agent flagged a backdoor hidden in a fake Node.js repository sent by a LinkedIn recruiter posing as a crypto startup.
A sophisticated social engineering campaign targeting developers through LinkedIn nearly succeeded last week, but was foiled by a combination of human intuition and an AI-powered code review agent. Developer Roman Imankulov received a message from someone claiming to be a recruiter for a small crypto startup, asking him to review a Node.js proof-of-concept repository that wasn't working. Suspicious of the request, Imankulov spun up a virtual private server and used his AI coding agent, running Codex, to perform a read-only analysis of the code before executing anything.
The AI agent immediately flagged a file at app/test/index.js as malicious. The file contained a backdoor that would execute arbitrary commands from a remote server, with the malicious URL fragmented across multiple constants to evade static analysis. The attack was designed to trigger automatically when a developer ran npm install, thanks to a prepare lifecycle hook in the repository's package.json. Imankulov admitted he had skimmed the file himself and dismissed it as sloppy but harmless code, missing the trap entirely.
The attack vector is not new but remains highly effective because developers routinely run npm install on autopilot. "The adversary didn't rely on the target executing a suspicious binary; they relied on the target running a routine command: npm install," explained Devashri Datta, an independent open source and security architect, in an email to The Register. The malicious repository has since been removed from GitHub, though a clone remains accessible. Imankulov discovered that the commits were attributed to a developer who had been impersonated on GitHub multiple times, and the recruiter's LinkedIn profile appeared to be a fake tied to a real arts journalist.
This incident is part of a growing trend of supply-chain social engineering attacks targeting developers. Earlier this month, North Korean-linked scammers were reported to be running fake job interviews to compromise developer accounts. Imankulov's case highlights how AI agents can serve as a defensive tool, catching subtle obfuscation that human reviewers might overlook. "Used defensively at the developer endpoint, an AI agent isn't susceptible to fatigue or social pressure; it simply surfaces anomalous behavior," Datta noted.
A significant mitigation is on the horizon: npm 12, expected next month, will change the default behavior of npm install to disable the allowScripts setting, preventing lifecycle scripts from executing automatically. GitHub product manager Leo Balter explained that install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem. The update will require developers to explicitly allow scripts for trusted dependencies, closing the door on this class of attack.
LinkedIn continues to struggle with fake accounts. The platform restricted 386,000 accounts after user reports in the first half of 2025, up from 266,000 in the prior six-month period and 86,000 in early 2021. Imankulov's experience serves as a cautionary tale for developers to remain vigilant against unsolicited job offers and to leverage AI-assisted code review as a safety net.