A freelance code-review lure on LinkedIn led to a trojanized GitLab real-estate application that hid malware inside an otherwise functional React, Express, MongoDB, and SendGrid project. The infection chain abused npm lifecycle behavior by making `postinstall` run the app, which loaded an obfuscated IIFE in `server/controllers/userController.js`, decoded Base64 configuration, fetched a payload from jsonkeeper.com, and executed it with `Function.constructor`. The payload was designed for socket.io command-and-control at `144.172.108.57:4891`, file discovery and upload to `144.172.108.57:4896`, clipboard monitoring, and persistence through a `.npm` PID file. The case matters because it shows how credible recruiting personas and legitimate-looking repositories can be used to compromise developers before any contract or interview is completed.