I've noticed a rising number of posts from people who found malicious code in 'take-home assignments' supposedly from scammers posing as HR managers or employers offering job opportunities. A few months ago, I ran some of this code without using a virtual machine, which I now realize was a huge mistake. Fortunately, it's been three months since then and I haven't noticed anything unusual. I even consulted ChatGPT and checked several things it recommended, but nothing seemed suspicious. This leaves me wondering, how powerful can malicious JavaScript code really be? Could it just be waiting for a trigger from my system? How can I check for any potential threats?
1 Answer
Running `npm install` on a project can execute any code it wants as part of the installation script. This means malicious code could potentially steal all your passwords and cookies, and could even set up persistent malware on your system. Unlike code running in a web browser, it has full access to everything your user account can access, which makes it much more dangerous.
Should I still be concerned about it three months after running it, considering there hasn't been any unusual activity? Is it possible it could be waiting for some action to trigger it?