𝗛𝗼𝘄 𝗔 𝗙𝗮𝗸𝗲 𝗝𝗼𝗯 𝗥𝗲𝗽𝗼 𝗧𝗿𝗶𝗲𝗱 𝗧𝗼 𝗦𝘁𝗲𝗮𝗹 𝗠𝘆 𝗞𝗲𝘆𝘀

𝗛𝗼𝘄 𝗔 𝗙𝗮𝗸𝗲 𝗝𝗼𝗯 𝗥𝗲𝗽𝗼 𝗧𝗿𝗶𝗲𝗱 𝗧𝗼 𝗦𝘁𝗲𝗮𝗹 𝗠𝘆 𝗞𝗲𝘆𝘀

A recruiter sent me a GitHub repo. It looked like a normal coding test. They told me to run npm install. It was a trap.

The repo wanted my wallet keys. It wanted my browser data. They hid malware in the build tools.

Most developers check the source folder. They skip the lockfile. They skip the postinstall script. The attack lives there.

Watch for these red flags:

• postinstall scripts in package.json.
• Obfuscated code in source files.
• Network calls during install.
• Mismatched dependencies in the lockfile.

Stay safe with these steps:

• Turn off install scripts.
• Run npm config set ignore-scripts true.
• Use a VM for untrusted code.
• Read scripts before you run them.
• Compare manifest and lockfiles.

Cloning a repo is safe. Installing runs the code. Treat recruiter repos as hostile.

Source: https://dev.to/pavelespitia/how-a-fake-job-interview-repo-tried-to-steal-my-keys-and-how-i-caught-it-1pkp