Shares tags: Phishing, NPM • Published within a week
A backdoor in a LinkedIn job offer
2026-06-15 • Roman •
A developer-targeted LinkedIn recruiting lure sent the author to a public GitHub repository containing a hidden Node.js backdoor. The malicious code in `app/test/index.js` assembled `https://rest-icon-handler.store/icons/77` and was designed to execute whatever the remote server returned, while `package.json` used an npm `prepare` lifecycle script so `npm install` would trigger it automatically. The operation also used borrowed identities: commits were attributed to a real developer who denied involvement, and the recruiter profile appeared to impersonate a real non-technical journalist.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | rest-icon-handler.store | 2026-06-17 | 2026-06-17 |
| URL | https://rest-icon-handler.store… | 2026-06-17 | 2026-06-17 |
Related Reports
2026-06-08 •
46% Match
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency
Proofpoint
Shares tags: Phishing, GitHub • Published within a week
Shares tags: GitHub, NPM • Published within a month
Shares tags: Phishing, GitHub
2026-05-14 •
36% Match
#Kimsuky
#Phishing
#AppleSeed
#PebbleDash
#BlackBanshee
#VelvetChollima
#GitHub
#ADS
#APT43
#RubySleet
#Springtail
#HappyDoor
#JSE
#SparklingPisces
#HttpTroy
#VSCode
#T1059.003
#T1005
#T1041
#T1113
#T1071.001
#T1056.001
#T1027
#T1566.001
#T1547.001
#T1053.005
#T1059.001
#T1105
#T1219
#T1543.003
Shares tags: Phishing, GitHub
Shares tag: NPM • Published within a week