A LinkedIn recruiter-themed lure pushed a developer toward a Bitbucket repository and pressured them to run the project quickly, matching fake-job social engineering used to compromise software developers. The repository’s visible Node.js code appeared ordinary, but a hidden horizontally displaced payload in socket.js executed when the victim ran npm start. The payload collected host and environment details, contacted a remote server, wrote additional payloads into the user’s home directory, executed them through Node child_process.exec, and repeated callback activity on a timer. The account and repository indicators, including an old single-commit project and immediate code-delivery pressure, provide practical red flags for detecting recruiter-lure intrusions before code execution.