A blockchain developer, Murat Celiktepe, has shared a distressing incident recounting a holiday experience that resulted in the loss of $500 from his METAMASK Wallet to an individual posing as a ‘recruiter.’
Notably, Celiktepe was initially contacted on LinkedIn under the pretense of a genuine web development job opportunity.
Developer Falls Prey to Coding Job Scam
During the purported job interview, the recruiter instructed Celiktepe to download and debug the code from two npm packages, namely “web3_nextjs” and “web3_nextjs_backend,” both hosted on a GitHub repository.
Unfortunately, shortly after complying with the instructions, the developer discovered that his MetaMask wallet had been depleted, exceeding $500 fraudulently withdrawn from his account.
The Upwork job listing requests applicants to “fix bugs and responsiveness [sic] on website” and claims to offer an hourly payment between $15 and $20 for a task expected to be completed in less than a month.
Intrigued by the opportunity, Celiktepe, who prominently displays an “#OpenToWork” tag on his LinkedIn profile picture, decided to take on the challenge. He downloaded the GitHub repositories the recruiter provided as part of the “tech interview.”
Engaging in technical interviews often involves take-home exercises or proof-of-concept (PoC) assignments, including tasks such as code writing or debugging. This makes the offer particularly convincing, even for individuals with technical expertise, such as developers.
It’s worth noting that the applications found in the mentioned GitHub repositories [1, 2] are valid npm projects, as evidenced by their format and the presence of the package.json manifest. However, these projects do not seem to have been published on npmjs.com, the largest open-source registry for JavaScript projects.
Community Steps Up to Unravel Attack’s Mystery
After sharing his unfortunate experience on social media, Celiktepe reached out to the community for assistance in understanding the mechanics of the attack. Despite scrutinizing the code within the GitHub repositories, he remains uncertain about the method used to breach his MetaMask wallet as he did not store his wallet recovery phrase on his machine.
In response to Celiktepe’s plea for help, the community rallied with genuine support and opportunistic crypto bots offering assistance. Unfortunately, scam accounts also emerged, enticing him to connect with fraudulent “MetaMask support” Gmail addresses and Google forms.
Insights from the community suggest that the npm projects executed by Celiktepe might have allowed the attacker to deploy a reverse shell, potentially exposing vulnerabilities on the developer’s machine.
Other theories proposed by community members include the possibility that, instead of infecting the developer’s machine with malware, the illicit npm project might have copied passwords from a web browser with auto-fill enabled.
Additionally, some speculate that the code voluntarily run during the “tech interview” might have intercepted his network traffic, contributing to the security breach.
