问HN:他们是在试图黑我的电脑吗?
我正在经历一段互动,过程中出现了一些可疑的迹象,目前我有信心这可能是一次黑客攻击的尝试。但我想在这里询问一下,或许能从外部获得更好的视角。以下是事件的经过:
有人在LinkedIn上联系我,声称有与我的个人资料匹配的全职和兼职职位。我表示我对兼职工作感兴趣,他们立即回复说每月有4000美元的薪水,工作时间为每周15-20小时。
我回复说这相当于我时薪的一半,他们回复说客户几乎愿意接受,但想先和我见面。第一个可疑点:愿意将报价翻倍。
我接受了,并与他们的技术人员预约了时间。第二个可疑点:日历上几乎有满档的可用时间。
他们让我在会议前完成一个任务,并提供了一个与他们团队成员的Microsoft Teams聊天,以讨论这个任务。
聊天中的人给我发了两个问题的截图。我问他们是否在GitHub上有代码,他们回复“GitHub?”第三个可疑点。
然后同一个人给我发了一个压缩文件,并询问我的Node版本。第四个可疑点。
此时我已经开始怀疑,不愿意在我的机器上运行那段代码。我在一台旧机器上全新安装了Linux,并下载了代码。我请Cursor查找任何可疑之处,唯一发现的是package.json和package-lock.json之间的依赖不匹配。我检查了package-lock中存在的包`json-map-source`,该包在https://security.snyk.io/package/npm/json-map-source上被标记为恶意包。这个包在18天前已从npm中移除。大大的可疑点。
我查看npm对这种不匹配的解决方案,发现它会安装`json-mappings`。我在npm上检查,这个包是在18天前创建的,第一版也是唯一一版是2.3.8,恰好与被标记为恶意的`json-map-source`包的版本相同。巨大的可疑点。
此外,这个包没有在Git上,使用的是一个临时邮箱上传的,npm上显示的README中列出的yarn安装命令是`yarn add json-map-source`(即恶意包)。在代码中,这个包只是被加载并作为中间件传递给一个express应用。该包有`sqlite3`作为本地依赖,编译本地代码。
在我写这条消息时,我真的看不出这会是什么其他情况,除了黑客攻击的尝试,但我很想听听其他人的看法。特别是那些比我更了解安全问题的人,这一点很简单。
谢谢!
查看原文
I'm in the middle of an interaction that has raised a few red flags, and at this point I'm confident this is part of hacking attempt. But I thought asking here could give me a better perspective from an outsider. Here is the sequence of events:<p>Someone reaches out in Linkedin claiming to have full time and part time roles that match my profile. I say I could be interested in part time work and they immediately reply that there's a 4k monthly salary offer for 15-20 hours per week.<p>I reply that's half my hourly rate and they reply the client is almost willing to accept but wants to meet with me first. 1st red flag: no problem with doubling the offer<p>I accept and book a time with their technical person. 2nd red flag: the calendar had pretty much full availability<p>They tell me to complete a task before the meeting and provide a Microsoft Teams chat with someone from their team to talk about the task.<p>The person in the chat sends me screenshot of two issues. I ask if they have the code in github, to which they replied "github?". 3rd red flag<p>Then the same parson sends me a zip file and ask about my node version. 4th red flag<p>At this point I'm already suspicious and not willing to run that code on my machine. I get a fresh linux install on an old machine and download the code. I asked Cursor to find anything suspicious, and the only thing was a dependency mismatch between package.json and package-lock.json. I check the package present in package-lock, `json-map-source`, which is marked as a malicious package on https://security.snyk.io/package/npm/json-map-source. This package was removed from npm 18 days ago. Big red flag.<p>I check what's npm's resolution of that mismatch, and I find it would install `json-mappings`. I check on npm this package was created 18 days ago, and the first and only version is 2.3.8, which happens to be the same version flagged as malicious for the package `json-map-source`. Massive red flag<p>Furthermore, the package is not on git, it's uploaded by a throwaway email, and the README that is shown in npm list the yarn install command as `yarn add json-map-source` (the malicious package). In the code the package is just loaded and passed as middleware to an express app. The package has `sqlite3` as native dependency, which compiles native code.<p>As I'm writing this message I really don't see how this could be something other than a hack attempt, but I'd love to have someone else's input on this. Especially from people more knowledgeable about security than me, which is easy.<p>Thanks!