Damaged Goods: Why Wiping the Laptop Won’t Save You

Here’s the counterintuitive part: this malware doesn’t try to stick around. And that makes it more dangerous, not less. 

It’s a smash-and-grab. It runs, steals what it can, and gets out. Reboot the machine and the malware is gone. As Tom Pohl explains, that’s deliberate — the attacker doesn’t want you to connect yesterday’s “interview” to today’s drained crypto wallet or hijacked email. A quiet, non-persistent infostealer is also less likely to trip antivirus than something that digs in for the long haul. 

In those few minutes, though, it takes plenty: 

• Saved passwords from 10 Chromium-based browsers. 

• Cryptocurrency wallets — data from 27+ browser wallet extensions. 

• Developer secrets — SSH keys, API tokens, and other credentials. 

• Your clipboard — read once per second. 

From the whitepaper: 10 browsers and 27+ wallet extensions targeted. 

Wiping the laptop afterward won’t help. The secrets already left the building. As Sherri Davidoff puts it, the lasting damage isn’t malware on the machine — it’s the credentials, keys, and tokens that are now in someone else’s hands. 

And those secrets travel. A developer who reuses a password — even a long, strong one — hands the attacker a key that may still work at their next employer. Tom’s blunt summary: the candidate is “already damaged goods” before they ever show up for day one. 

So don’t measure this attack by how long the malware stays. Measure it by what left in the first five minutes — and where those credentials get reused next. 

 

Go deeper 

Part 5 of our human supply chain series. Read the full analysis in the LMG Security whitepaper, and hear Tom and Sherri on the Cyberside Chats episode, “Damaged Goods: When Your New Hire Is Already Compromised.”