Source: linkedin_dm · Submitted 15/05/2026 · Assessment complete
This case involves a highly suspicious recruitment scam delivered via LinkedIn DM, with a high-risk verdict. The recruiter shared a coding assessment project that, upon closer inspection, contained multiple critical vulnerabilities. Evidence suggests the project was designed for remote code execution (RCE) and secret exfiltration. Specifically, the leaderboard controller in the backend used Function.constructor on remote input, allowing for RCE. This constructed function was then passed to `require()`, indicating a potential require injection. Furthermore, the profile service in the backend was configured to exfiltrate all environment variables to an external URL via `axios.post`, a clear indicator of secret theft. These combined signals strongly point to a sophisticated attempt to compromise the recipient's system and steal sensitive information under the guise of a coding assessment.