Freelance Developers Are Being Specifically Targeted by State-Sponsored Hackers and Here Is How to Protect Yourself

nihalsari

The Nickel Alley campaign documented by Sophos is a targeted and methodical operation, not a broad phishing blast. The group selects specific high-value individuals with developer profiles on Upwork, Fiverr, and LinkedIn, crafts credible-looking fake company pages with GitHub repositories and professional websites, and invests in a multi-step fake interview process designed to build enough trust that a technically sophisticated target will execute code on their own machine without suspicion. The sophistication of the social engineering is matched by the technical delivery, using compromised npm packages and legitimate-looking GitHub repositories to deliver malware through commands that any developer would recognize as normal parts of a project setup workflow.
For freelance developers, the practical protection checklist is straightforward but requires discipline to apply consistently.

Never execute code from a repository sent by a prospective employer before independently verifying the company's existence through channels you found yourself rather than links they provided. Check for inconsistencies between a company's LinkedIn page, website, and GitHub account, as Sophos noted that Nickel Alley's fake infrastructure often uses different domains across these properties due to lack of attention to detail. Be particularly skeptical of any interview process that requires you to clone and run a repository locally as part of a skills assessment before you have signed any contract or verified the employer's identity. Report suspicious recruitment contact immediately rather than engaging further to determine whether it is legitimate. State-sponsored threat actors with the resources and patience that Nickel Alley has demonstrated are specifically counting on developers being curious enough to run the code and trusting enough not to verify first.

lingriiddd

North Korea built a fake company, fake LinkedIn, fake GitHub, fake interview, and is patiently waiting for you to type npm start like a normal person.