"Repository dropped before interview": developer discovers malicious code in test task
Ukrainian Front-End Engineer Daniil Kostyuk spoke about a potentially dangerous scheme he encountered while communicating with an «employer» on LinkedIn.
Ukrainian Front-End Engineer Daniil Kostyuk spoke about a potentially dangerous scheme he encountered while communicating with an «employer» on LinkedIn.
According to the developer, he was contacted by a man who introduced himself as the CEO of a project in the medical and Web3 fields. After a short conversation, the candidate was offered to move on to the next stage — to review the code repository before the interview.
«The communication is as adequate as possible: he asks about my experience, says I’m suitable, suggests moving on to the interview. He resets the repository, asks me to call him back after I look at the project flow. In general, nothing unusual, but for some reason I decided not to open the code „on faith“ and check it with AI,» shares Daniel.
However, instead of a normal test task, a malicious script appeared in the repository. «I decided not to open the code „on faith“ and check it. And as it turned out, it was not in vain,» said Daniil Kostyuk.
What was inside?
According to him, one of the files (disguised as bootstrap.min.js) performed suspicious actions: decoded a hidden URL; sent environment variables there; received code in response; and immediately executed it locally.
In fact, this opened up the possibility of remotely executing any code on the developer’s computer.
In addition, there were other «murky» minified scripts in the repository.
How the scheme works
This is probably a variant of social engineering, where attackers disguise themselves as recruiters or startup founders and send candidates «test tasks» or repositories.
The expectation is that the developer will run the code locally without checking its contents.
What do developers advise?
Daniil Kostyuk urges caution: «Always check what you are going to run on your machine.»
Among the basic recommendations: do not run unfamiliar code without checking; view the contents of scripts, even if they look like standard libraries; use isolated environments (sandbox, VM); pay attention to atypical file behavior.
«One gap in crypto that could cost you thousands of dollars.» Account Manager reveals crypto scam scheme she was tricked into by «Telegram client»
«One gap in crypto that could cost you thousands of dollars.» Account Manager reveals crypto scam scheme she was tricked into by «Telegram client»
«I wanted to help avoid a scam.» Blitz with the author of a Telegram bot that compiles a blacklist of suspicious game development companies
«I wanted to help avoid a scam.» Blitz with the author of a Telegram bot that compiles a blacklist of suspicious game development companies
Read the country’s main IT news in our Telegram
Read the country’s main IT news in our Telegram
