I was targeted by a scammer. They presented as a company looking to hire engineers. Their LinkedIn profile, company site, etc all seemed legit. First thing I missed was the meeting was set with a person using a Gmail account.
I got on the call with the guy, his video was on, looked like the LinkedIn profile photo.
They eventually got through the initial questions of the interview process, then they wanted to share their repo with me. Found it strange but thought a small company may do things a bit faster…
This is the bad part, the mistake: I ended up cloning the repo.
I had hesitation before installing or running but everything until then seemed legit and I did a quick poke around and it looked like a normal basic starter app. So I did install and run the app.
When apple asked if it should give cursor access to the Internet, I denied it.
It was a web3 gaming app which would have wanted to connect my wallet but it never got to that stage. The app seemed to be just connecting and the guy seemed like he was unsure why and said he’d take it back to his devs.
I checked the console logs and network tab and things seemed fine. It was running on chrome.
At this point chrome randomly crashed (including the call with the person).
I changed the topic for a bit and asked more about the next steps, comp etc and he seemed to answer all that normally. Then at the end he asked if I was okay to be paid in crypto. He asked me to send my wallet address but I never did.
Once the call ended I felt a sinking feeling. I started digging more and I realized this was an attack…
I used cursor to scan for vulnerabilities and it found the use of eval() on a response from an API call where the url was base64 encoded. I traced the steps back and saw that the url payload contained malware.
I have since then found and killed connections to the IP address which the payload caused an open connection to. I deleted the node modules, cleared npm cache and deleted the repo. I’ve checked that no other open connections to the IP or any :3000 connections were open.
The good thing is I ran the app on a browser that was using an isolated profile with basically no real data on it. Metamask was logged out and no other stuff was available on that browser.
For all my passwords, I use 1pass. I use 2fa with a yubikey for anything critical like aws, and other logins.
I am thinking for my final step, I will run a fresh restore and install it macos. I don’t need to keep any of my files since they are on repos or not important.
Is this sufficient, is there anything else I should think of to get back to a safe state?
