The malicious code was hidden in a nested dependency of an apparently clean project.
The victim acknowledged that he dedicates his work to detecting these types of scams and was still deceived.
«They completely destroyed me with the most sophisticated hack I have ever encountered in my life. I am a developer. I know what scams look like. This didn’t look like one.” This is what the developer known in
According to testimony, the attack began with a recruiter who contacted you about a supposed job offer as a frontend developer.
The company, Turshija clarifies, had a real website, a team page with photos and names, and a two-round interview process. The first was with human resources. The second, a technical interview with two engineers via video call, with one of them actually listed on the team’s page with a matching photo and name.
The developer who was the victim of this attack described the first meetings as a “normal conversation.” The kind of talk you really enjoy,” the developer described.
At the end of the second round They gave you a GitHub repository with a code test to solve in a few minutes. One of the interviewers even joked about it. “Check it through back doors,” he told him, just when the developer mentioned scams aimed at programmers.
That line was deliberate. He let my guard down exactly when I needed it most.
Turshija, developer victim of this attack.
The code in the main repository was clean. The malware, according to the developer, was hidden in a nested dependency: a package called ‘winston-middleware’ which, in turn, imported another call‘next-runtimejs’. When executing the project, a script silently unloaded a back door.
As explained by turshija, the only thing that alerted the developer was a macOS popup asking for permission to run a background process:
Most would have clicked Allow without a second thought. After two rounds of interviews, on a video call with people you had built trust in for days, you trust. That was exactly what they were counting on.
Turshija, developer victim of this attack.
Turshija disconnected the internet in less than a minute, but by then the attackers They had already captured 634 passwords saved in Chrome, the complete macOS keychain (the system where the operating system stores passwords and access keys, including the key that decrypts browser passwords) and data from your MetaMask wallet.
According to the developer, the malware was not an improvised kit but a professionally written programwith its own encrypted protocol and specific commands to execute remote instructions, steal files, extract Chrome passwords, exfiltrate the keychain and attack cryptocurrency wallets.
This was not a random attack. It was an operation. Fake website, fake LinkedIn profiles, real looking engineers. A multi-stage interview process designed to build trust for days. All to get a developer to run their code.
Turshija, developer victim of this attack.
The developer published the names and versions of the malicious packages (winston-middleware version 4.5.3 and next-runtimejs version 1.0.3) and the fake repository, reporting them to npm and GitHub.
His conclusion was direct: “The most terrifying thing is that I am the person who looks for these things. I’ve caught scams before. I examine the repositories before running them. They joked with me about back doors on the call. And then they caught me with one.
An already documented pattern of the Lazarus Group
Although Turshija did not attribute the attack to any specific group, the pattern matches campaigns previously documented by CriptoNoticias.
On April 21, analyst Mauro Eldritch published on the ANY.RUN platform an analysis of “Mach-O Man,” a native malware kit for macOS attributed to the North Korean Lazarus Group, which uses the same social engineering logic: Building trust for days with fake infrastructure and then getting the victim to voluntarily execute the code that compromises them.
Turshija’s testimony does not prove authorship, but it illustrates in operational detail how a type of attack operates today that no longer targets the technical infrastructure of cryptocurrency protocols or platform code, but rather the people who build them.