> so just installing dependencies executes the backdoor.

How anybody in their right mind still uses this tech stack is beyond me.

> I reported the repo to GitHub and the recruiter to LinkedIn. So far nothing has changed and the code is still up.

Remember to treat every size on the internet as an adversary, even if they weren't in the past.