Malware scam: Job offers trick developers with malicious repositories

A reader contacted us and described a specific case on a marketplace that brings companies and freelancers together. There, they received a job offer that included access to a Git repository. An inconspicuous Node script called at the start of the project then loads malicious code and persistently anchors it in the system.

Cloning the repository provided with the job offer is still harmless. Only when starting, for example, with “npm run,” does the malicious script get executed. According to the reader's analysis, the Node script downloads JavaScript code from the internet via HTTP. It evaluates this using eval() -- which translates a passed string into code that is finally executed and embeds itself in the user directory of the system. The malicious code starts in the background and connects to a command-and-control server.

The downloaded malicious code includes infostealer functions. It searches the computer for profiles of web browsers such as Brave, Chrome, Edge, Opera, and others and decrypts the stored credentials using the Windows Data Protection API (DPAPI). It also searches for and collects cookies, wallets from Electrum, Exodus, and MetaMask, as well as .env files, and then transfers them to the command-and-control servers, according to our reader's evaluation. The attackers can also use backdoor functions for executing shell commands, uploading files, and downloading further files.

GitHub cannot do anything in this specific case, as it is a private repository, Microsoft apparently informed the reader. In this specific case, there was no public tender for the supposed project, for example, on Freelancermap or other comparable providers. However, the fraudster took the trouble to choose a name that matches a developer profile when searching for it with a search engine.

Scam already seen globally

Kaspersky has known about such Git repositories for about three years and calls the scam “GitVenom”, for poisoned Git repositories. An article on dev.to describes the scam in the English-speaking world. There, the author also mentions some warning signs that indicate potentially malicious job offers. For example, unsolicited job offers that sound too good to be true or pressure to complete tasks as quickly as possible. The request to download and execute code as part of a job interview is also a “red flag”.

On a technical level, “base64-encoded garbage distributed everywhere” should raise suspicion or included files that are never used. Descriptions in the README that completely deviate from what the code actually does or dependencies that make no sense in the project should also make you suspicious. Brand new GitHub accounts without any significant history are also suspicious, as are multiple similar projects from the same account.

Developers should protect themselves by, for example, independently verifying everything and not blindly trusting emails: Does the company actually exist, who is behind it? Is the job advertisement also on the organization's website? Is the company willing to conduct video calls and respond meaningfully to detailed questions about the company? Isolating such development environments in virtual machines can help limit potential damage. In any case, developers now also need to be very careful not to fall for advanced malware scams.

(dmk)