Matt Mastracci says a fake VC interview tried to turn his maintainer laptop into a supply-chain foothold
The Rust maintainer found a TypeScript take-home repo that hid PinpinRAT in a TypeScript patch and PNG payload.
By Ryan Merket ยท Published
Why it matters
The attempted attack shows how startup-style advisory workflows can be weaponized against open-source maintainers whose laptops may hold registry credentials, tokens and downstream distribution power.

Matt Mastracci (@mmastrac), a former startup founder and Rust maintainer, says he was targeted in mid-June by a fake advisory interview that tried to backdoor his machine through a TypeScript take-home assignment, according to a June 25 post on his personal site Grack.
The attempted compromise is not a funding story or a launch story. It is a founder and maintainer story: attackers appear to have used the ordinary machinery of startup work - a VC introduction, a portfolio-company advisory pitch, a video call and a repo to review - to reach the person behind open-source packages that other developers depend on.
Mastracci wrote that he lives in Canada and reported the incident to Canadian authorities, including the Canadian Centre for Cyber Security. He also wrote that others in the Rust community said they were targeted, though his post does not prove those attempts came from the same actor.
The attribution remains unresolved. Mastracci titled the post "Anatomy of a Failed (Nation-State?) Attack," but he did not identify the attacker and explicitly said the persona used in the outreach was fabricated. The important part is the route in: not a zero-day sprayed across the internet, but a patient social-engineering workflow built to make a maintainer run code on a trusted machine.
The pitch looked like startup work
Mastracci is not a random inbox. His GitHub profile describes him as ex-Deno, StumbleUpon and FullStory, and shows a long-running open-source footprint. A Leankor advisor bio says he was a developer at StumbleUpon before eBay's 2007 acquisition, founded or served as CTO of DotSpots, Gripe and Cheers, and holds a BSc in Electrical and Computer Engineering from the University of Calgary. Lib.rs lists him as the creator of 24 Rust crates, including ctor, which the site says has 2.1 million downloads.
That background explains why the pitch worked long enough to get to a call. Mastracci wrote that he received an email about a week and a half before the June 25 post from someone claiming to be from Lua Ventures, which he later described as a defunct Singapore-based DeFi venture firm. The persona was fake, he wrote, and the name was redacted because it could be confused with real uninvolved people.
The attacker named two supposed portfolio companies, Lyrasing and Roadpay, that were looking for advisory help. Mastracci wrote that both had basic web presences that were not obviously fake on first inspection. The attacker then held a call with him. Mastracci said the man on the call had a German accent and said he was traveling. None of that, by itself, was enough to break the spell.
That is the part founders should recognize. The attacker did not need to invent an exotic workflow. Startup advisory and diligence calls already involve loose references, half-built websites, calendar friction and incomplete company trails. The scam worked because it resembled the real messiness of early-stage work.
The repo was the exploit delivery system
After the call, Mastracci wrote, the attacker sent a "test" repository themed as a ferry-ticketing app called Ticket Harbor. The included task file asked him to run the repo's typecheck, tests and relevant build commands before submitting.
That instruction was the trigger.
Mastracci said he became suspicious because the TypeScript repository did not fit the advisory discussion and looked more like a job-interview exercise. He zipped the repo and used Claude to scan it. The model flagged unusual use of patch-package and pointed to a malicious payload in typescript+5.9.2.patch, where a base64 and XOR-obfuscated loader had been injected into typescript.js and _tsc.js.
The chain Mastracci described was designed for a developer's muscle memory. Four postinstall hooks ran patch-package; one also ran git update-index --skip-worktree to hide patch changes from git status. The TypeScript patch installed a self-executing stub. The stub read a hidden chunk appended to operators/3.png, executed a small WASM component and spawned a detached Node process with what Mastracci described as a 1.68 MB obfuscated second-stage payload.
Mastracci called the malware "PinpinRAT" based on internal strings, while noting that it may have another name and that he could not find other references online. He said the payload-laden image did not trigger security vendors on VirusTotal at the time of his post.
The RAT, as described by Mastracci, collected host details, generated local cryptographic keys, used AES-256-CBC for session traffic, and supported commands to read files, write files, spawn processes, move through the filesystem and remove itself. His indicators of compromise included C2 at 89.124.107.161:80, a Windows scheduled task named PinpinWrappedJs, a macOS process masquerading as com.apple.WebKit.Networking, and artifact directories under macOS, Linux and Windows temp or cache paths.
The target was probably maintainer access
Mastracci wrote that, based on the emails, he assumes the target was his packages on crates.io. That is an assumption, not a confirmed motive. But it is the right working model for understanding the incident.
A compromised maintainer laptop can be more valuable than a compromised SaaS account. It may hold package registry credentials, SSH keys, API tokens, browser cookies, source access and signing material. The attacker does not need to exploit every downstream user directly if the maintainer can be turned into the distribution channel.
The attempted compromise also crossed ecosystems. The target was a Rust maintainer. The lure was a TypeScript and Electron-style repository. The execution path relied on npm lifecycle scripts, patch-package, a TypeScript patch, a PNG container and Node. That mix matters because modern maintainers do not operate in one clean language silo. A Rust author can still be asked to review a JavaScript repo for advisory work, and the build tool he runs may be the first code that matters.
Mastracci's own career helps explain why the attacker's route was plausible. At FullStory, he wrote publicly about building mobile analytics with privacy controls, describing the tension between product diagnostics and what mobile apps should capture from users. His public record is exactly the sort of technical, cross-functional background that would make an advisory ask believable.
Fake interviews are becoming operating infrastructure
Mastracci linked his incident to Manish Goregaokar's June 17 post, "The Future of the Con Is Already Here, It's Just Not Evenly Distributed", which argued that AI lowers the cost of personalized scams and makes high-touch social engineering easier to scale.
That broader frame fits the Mastracci case. The attacker did not merely send a malicious attachment. The setup included a fabricated identity, web properties for supposed companies, a LinkedIn profile, a call, a repository and a task that looked boring enough to be real. The low drama was the point.
The useful lesson is not that every advisory call is suspect. It is that the trust boundary has moved. For maintainers, "run the test suite" is no longer administrative cleanup after a conversation. It is the point where the other party's code crosses into the maintainer's environment.
Mastracci's near miss ended before execution because the assignment felt misaligned and because he chose to inspect the repo before running it. That is the part attackers are pricing in. The most valuable maintainers are busy, technical and used to running unfamiliar code. The startup ecosystem gives attackers a socially acceptable script for asking them to do it.