Skip to main content
Blog/New Type of LinkedIn Scam
securitybest-practices

New Type of LinkedIn Scam

5 min readDrew Serhiienko
New Type of LinkedIn Scam

Last month I got a message from Alexander Sullivan — Deputy Director of IT, 500+ connections, premium badge. Offers me a Tech Lead position at an AI healthcare startup. Describes the terms — everything looks good. Moreover, he uses my agency name in the conversation to build trust.

He describes the project MEDIRA — an AI platform for medical diagnostics. Tech stack fits: Next.js, React, MongoDB, OpenAI. No red flags yet.

"Can you take a look at our MVP before the technical interview? I'll add you to our private GitHub repo."

I start suspecting something's off. I check out their project, seems fine at first, but I already load the conversation into Claude to analyze for scam patterns (everything seemed too good to be true lol).

I clone the repository but don't run anything — I want to ask Claude Code for scanning first. It's a tool that analyzes the entire project folder. Firstly I let Claude know the code is suspicious and that it shouldn't execute any environments.

The Scam Unfolds

Step-by-step analysis of how the scam was detected and prevented

LinkedIn scam message

Initial Contact

1 / 6

What Claude Found

Claude finds weird things:

  • Production MongoDB credentials in the .env file (live database with medical data exposed)
  • Code doesn't match the description: healthcare platform, but inside there are real estate models (rooms, price, sqmeter)
  • test-passwords.js file with a hardcoded password "1309#Mohsin"
  • References to a "BestCity" project throughout the auth code

Claude suggests I Google "BestCity job interview hack". I find David Dodda's article from two weeks ago — exact same scheme. Same BestCity project, same operation.

The malware is hidden sophisticatedly: URLs encoded as byte arrays, payload loaded remotely via new Function(). If I had run npm install, it would've gotten full access to my machine: SSH keys, credentials, crypto wallets.

Looks like a classic test assignment for attention to detail, but this is a professional SCAM. They're targeting developers who are looking for new projects and going through dozens of test assignments.

Bottom line — I stop working with the code and delete everything from my machine completely.

And just recently I came across a Thread where people describe in detail that this is a new type of scam and that they, like me, almost ran the code. They were saved by basic cybersecurity rules, attentiveness, and paranoia.

Key Takeaways

  • Sandbox ANY unknown code
  • Use AI to check before running, with EXPLICIT instructions NOT to execute any dependencies (30 seconds can save everything)
  • Verify everything independently
  • Trust your instincts
Final thoughts

Final

Of course, I have no claims specifically against Mr. Alexander Sullivan. These guys simply hijack established accounts and use them for their purposes, scamming developers. Although even the final screenshot raises some suspicions...

Drew Serhiienko

Head

Ready to Streamline the Flow?

Trust our team to map your processes and uncover automation potential.