There have been some new tricks in terms of internet scams running around, and some of them include job offers. So, keep your eyes open and your brain in high alert to make sure you’re not one of the victims.
For this specific scam, someone posts a freelance gig, or a recruiter messages you about a remote role that sounds really good. The person seems real, the company has a website, and the next step is small and reasonable: a 30-minute test assignment. They send you a GitHub link and ask you to clone it, install the dependencies, run it, and share your feedback.
How the scam works
The pattern is remarkably consistent across the cases that have surfaced. A fake (in some cases even hijacked) recruiter or “founder” reaches out with an attractive opportunity, often at a crypto, Web3, or AI startup.
After some legitimate-looking back and forth, you’re asked to complete a take-home task hosted on a private GitHub, GitLab, or Bitbucket repository. The project looks completely normal: a real README, a plausible package.json padded with legitimate libraries, a functioning frontend and hundreds of lines of believable code.
The malicious part is buried where you’re unlikely to look, and it doesn’t run when you read the code but when you build or install the project, which is exactly what the “test” instructions tell you to do. In this Reddit case, the start script was quietly configured to force-install every dependency before launching the app.
How they hide the scam
Rather than dropping obvious malware into the repo, the attacker built a chain of custom dependencies, each one looking dull and harmless.
Most times, the visible project depends on an innocuous-sounding “logging” package. That package, in turn, requires another “data utility” package that pulls in a third. Only at the bottom of that nested chain is the real mechanism live: a routine that decrypts a hidden, garbled payload at runtime.
By keeping the malware encrypted as a meaningless blob until the moment it runs, the whole thing sails straight past GitHub’s automated scanners. The trigger was then tucked inside an ordinary-looking backend file, so that simply running the project set off the decryption chain and silently launched the trojan in the background.
This mirrors what security researchers at ESET, as example, have documented in a wider campaign: malicious code hidden in an unrelated file, sometimes appended as a single line behind a long comment so it sits off-screen, or buried inside a dependency of a dependency. The specifics vary but the philosophy doesn’t, making the payload invisible until execution.
Once it runs, it typically pulls down an infostealer that goes after saved browser passwords, session tokens, your system keychain, and any crypto wallet extensions you have installed. Many variants then install a second-stage remote-access tool so the attackers can keep poking around long after the “interview” is over.
Why it’s so easy to fall for this scam
If your instinct is “I’d never fall for that,” well you may want to think again. These operations have become very polished and very difficult to spot.
In one case reported by The Register, a developer went through a camera-on video interview with an HR rep whose face and English were convincing enough that nothing felt off, followed by a technical round with two “engineers” listed on the company website. At one point, the three of them even joked about all the job scams targeting developers. When he hesitated about running the repo, they didn’t push and offered an alternative, so that lack of pressure earned his trust.
He ran the test. In 56 seconds, before he could cut his Wi-Fi, the code had harvested 634 saved Chrome passwords, his macOS keychain, and his MetaMask wallet data.
Forget the typo-ridden emails from a fake prince. This scam shows you a plausible company, a real-feeling process, and just enough patience to make you comfortable.
The primary targets sat in the United States, but we are noticing the activity shifting towards Europe, with victims in countries including France, Poland, Ukraine, and Albania. This is no longer a “somewhere else” problem, and if you’re a developer in the European market, you’re their target.
The personas show up wherever developers look for work: LinkedIn, Upwork, Reddit, freelance subreddits, and crypto job boards. Some accounts are entirely fake, but others are real profiles that have been compromised and repurposed.
How to protect yourself without becoming paranoid
You don’t need to treat every recruiter as a threat. Just define firm rules and a few habits like never run a stranger’s code on your main machine.
If you want to complete a take-home from an unverified source, do it inside a disposable virtual machine or a sandboxed container with no access to your credentials, wallets, or company systems. This single habit defeats almost the entire class of attack.
And, of course, read before you run:
- Open the repo on the web and look at the package.json scripts.
- Be suspicious of anything that force-installs dependencies or fetches and executes remote code on start, postinstall, or build.
- When installing Node dependencies from anything you don’t fully trust, npm install -ignore-scripts stops lifecycle hooks from firing, which is where a lot of this malware triggers.
- A verification of the company independently rather than through links they sent you, can also go a long way.
- Check the domain’s age and history
- Confirm the person through a channel you found yourself.
- Keep your crypto wallets and password vaults off the machine you use for casual code review in the first place.
If you think you already ran something suspect, treat it as a live incident: disconnect, rotate every credential that was accessible, move any crypto, and assume browser-stored passwords are compromised. Then report it everywhere you can.
Job hunting is not the problem
Looking for a new job puts you in precisely the state these attackers rely on: motivated, flattered by the attention, and eager not to seem difficult. So, keep the excitement, but also keep your brain on high alert.
A real employer will never need you to run unknown code on your personal machine to prove you can do the job. If an “opportunity” depends on you doing that, maybe the opportunity is the attack.
If you’re looking for safe ways to look for jobs, take a look our open positions.