I'm in the middle of an interaction that has raised a few red flags, and at this point I'm confident this is part of hacking attempt. But I thought asking here could give me a better perspective from an outsider. Here is the sequence of events:

Someone reaches out in Linkedin claiming to have full time and part time roles that match my profile. I say I could be interested in part time work and they immediately reply that there's a 4k monthly salary offer for 15-20 hours per week.

I reply that's half my hourly rate and they reply the client is almost willing to accept but wants to meet with me first. 1st red flag: no problem with doubling the offer

I accept and book a time with their technical person. 2nd red flag: the calendar had pretty much full availability

They tell me to complete a task before the meeting and provide a Microsoft Teams chat with someone from their team to talk about the task.

The person in the chat sends me screenshot of two issues. I ask if they have the code in github, to which they replied "github?". 3rd red flag

Then the same parson sends me a zip file and ask about my node version. 4th red flag

At this point I'm already suspicious and not willing to run that code on my machine. I get a fresh linux install on an old machine and download the code. I asked Cursor to find anything suspicious, and the only thing was a dependency mismatch between package.json and package-lock.json. I check the package present in package-lock, `json-map-source`, which is marked as a malicious package on https://security.snyk.io/package/npm/json-map-source. This package was removed from npm 18 days ago. Big red flag.

I check what's npm's resolution of that mismatch, and I find it would install `json-mappings`. I check on npm this package was created 18 days ago, and the first and only version is 2.3.8, which happens to be the same version flagged as malicious for the package `json-map-source`. Massive red flag

Furthermore, the package is not on git, it's uploaded by a throwaway email, and the README that is shown in npm list the yarn install command as `yarn add json-map-source` (the malicious package). In the code the package is just loaded and passed as middleware to an express app. The package has `sqlite3` as native dependency, which compiles native code.

As I'm writing this message I really don't see how this could be something other than a hack attempt, but I'd love to have someone else's input on this. Especially from people more knowledgeable about security than me, which is easy.

Thanks!

Ask HN: Are they trying to hack me?