tl;dr: A developer received a LinkedIn message from a fake crypto startup "recruiter" asking him to review a GitHub repo and check a "deprecated Node modules issue" — bait to trigger `npm install`, which auto-runs a `prepare` script that executes a backdoor disguised as a test file, fetching and running arbitrary code from a remote server. Both the recruiter's LinkedIn profile and the repo's commit author identity were stolen from real people. He flagged the threat using a read-only AI agent on a throwaway VPS, which spotted the payload in seconds.