Blog / Malware Nowadays

Malware Nowadays

A zip file disguised as a frontend task, a supply-chain landscape on fire, and a phone call from someone I'd never met — what happened and what I still don't know.

Today I got a phone call from someone named Neelansh. I'd never spoken to him before. He'd found my number on my resume, which is linked from anuppradhan.in — but the path to that call was longer and stranger than a normal recruiter reach-out.

This is the story, and why I'm still not sure who — or what — to trust.

The project in the middle of it

I built WhatsApp-Campaigner for a company. They didn't end up using it, so I open-sourced it. It's a full-stack MERN app for WhatsApp campaign management — the kind of thing I'm happy to have public so people can see what I'm building.

A founder named Walid apparently asked Neelansh to improve the frontend on that project. Reasonable ask on paper: open-source repo exists, someone contributes a PR, everyone wins.

Except Walid didn't share a Git repository.

He sent a zip file.

What Neelansh found

When Neelansh opened the archive, it wasn't a clean codebase handoff. It contained malware. He caught it in time and protected himself — which is the part of this story that matters most. One wrong double-click, one tired evening, and the headline writes itself differently.

After that, Neelansh did something clever. He traced activity back through the project logs, landed on my GitHub, found my site, opened the contact section, pulled my resume, and called me to warn me that something was circulating under the umbrella of my work.

I appreciate that more than I can fit in a terminal window.

The question I can't answer yet

Here's what neither of us knows for sure:

Was my original repository already compromised — a bad dependency, a leaked token, something in the install chain — or did someone manually lace a zip before it ever touched Git?

Both feel plausible in 2026.

We've watched supply-chain attacks hit names people actually trust: Next.js ecosystems, TanStack Query, Axios, and the usual npm roulette where a maintainer burnout becomes everyone's incident. You run npm install, skim the diff, ship on Friday, and find out Monday that you weren't installing what you thought.

A zip from a "founder" who won't use Git is a different threat model — social engineering with a Trojan wrapper — but the outcome rhymes: you thought you were working on UI, you were running someone else's payload.

I don't know Walid. I don't know his intent. I don't know if the zip was a one-off trap aimed at Neelansh, a broader campaign, or a mistake mislabeled as "the project." I'm not going to pretend I do.

What I do know:

  • Neelansh did the right things — skepticism, containment, then disclosure.
  • My public repo deserves a audit — dependencies, lockfile, GitHub Actions, release artifacts, anything that could have been tampered with upstream or downstream.
  • "Open source" is not a trust stamp. It means the code is visible. You still have to verify which code you're running.

Malware nowadays isn't one shape

It used to be easier to caricature: sketchy .exe, obvious phishing, Nigerian prince energy.

Now it's:

  • A zip that looks like a freelance brief
  • A package with a patch version and a plausible README
  • A repo invite that never comes, only a Drive link
  • A dependency that worked last week

The attack surface moved into the workflow — the places developers already go when they're trying to be helpful, fast, and employed.

What I'm doing about it

Short list, no heroics:

  1. Review WhatsApp-Campaigner — lockfile, known advisories, CI secrets, release tags. Treat Neelansh's report as a trigger, not gossip.
  2. Never treat zips as source of truth when a public Git remote exists. Clone the repo. Compare hashes. Boring wins.
  3. Keep resume/contact paths in mind — they're discoverable by design; that's feature and risk.
  4. Write this down so the next person who googles the project after a weird archive finds a human explanation, not silence.

If you're contributing to someone's open source: clone from GitHub (or the canonical remote), check the org, check recent commits, run installs in a sandbox. If a client sends you a zip and gets defensive about version control — that's a signal, not a personality quirk.

Who do you trust?

I used to think the answer was reputations: big companies, starred repos, familiar package names.

Lately the answer is closer to process:

  • reproducible installs
  • signed commits where it matters
  • least privilege on tokens
  • friends who call you when something smells wrong

Neelansh did that last one for me today.

I still don't know if my project was poisoned at the root or if someone wrapped malware in my project's clothes. I'm going to find out as much as I can. Until then — trust workflows, verify artifacts, and pick up the phone when a stranger says your name and "zip file" in the same breath.

If you've seen something similar around open-source outreach — fake client repos, poisoned archives, dependency drama — get in touch. I'd rather learn from your near-miss than repeat it.

Stay safe out there. And please: send a Git URL, not a zip.

anup@ruki:~$