𝗛𝗼𝘄 𝗔 𝗙𝗮𝗸𝗲 𝗝𝗼𝗯 𝗜𝗻𝘁𝗲𝗿𝘃𝗶𝗲𝘄 𝗧𝗿𝗶𝗲𝗱 𝗧𝗼 𝗦𝘁𝗲𝗮𝗹 𝗠𝘆 𝗞𝗲𝘆𝘀
A recruiter messaged me. They offered a take-home challenge on GitHub. It looked normal.
The malware lived in the build tool. It did not hide in the app code. Most developers read the source. Few read the lockfile. Few read the postinstall script.
This is where the payload lives.
The scam follows a pattern:
- You get a job offer.
- You clone a repo for a test.
- The repo runs malicious code during install.
- It steals your wallet keys and browser data.
Red flags to watch for:
- Lifecycle hooks like postinstall in package.json.
- Obfuscated code with random hex names.
- Base64 strings hiding URLs.
- Network calls to unknown hosts during build.
- Dependencies in the manifest but not in the lockfile.
How to stay safe:
- Turn off install scripts: npm config set ignore-scripts true.
- Set a publish delay for packages.
- Use a VM or container for unknown code.
- Treat recruiter repos as hostile.
Cloning a repo is safe. Installing it is not. Read every file before you run a single command.
I built a tool to automate this. It scans repos for build-time execution and obfuscated payloads. It reads the files without running them.
The job was fake. The malware was real.