This case involves a recruitment scam where a malicious actor, posing as a recruiter from "DLabs," attempted to compromise a developer's system. The scam involved sharing a GitHub repository for a React/Express platform MVP. Analysis of the repository reveals critical indicators of malicious activity. Multiple instances of webhook exfiltration were detected in src/apis/index.js and server/controllers/auth.js, suggesting attempts to send sensitive environment variables to external servers. Specifically, the server/controllers/auth.js file shows process.env being spread into an axios.post request, which is a direct method for exfiltrating environment secrets. Furthermore, a dangerous code execution pattern was identified in server/routes/api/auth.js, where new Function is used to execute response.data as code, indicating potential remote code execution from untrusted input. The presence of require_injection in the same file further reinforces the risk of arbitrary code execution. These combined signals strongly suggest that the provided repository is designed to exfiltrate sensitive information and execute malicious code on the victim's system.
Vault secured
Hi, we have an exciting opportunity. Please check out this repository for a coding assessment.
Thanks, I will take a look.
Disclaimer:This report is based on community-submitted information and automated analysis. It does not constitute legal advice or a definitive determination of fraud. Named or described entities may contest this report - if you believe this case contains inaccurate information, you may submit a correction or appeal. RTIdx process takedown and correction requests within 7 days.