The Contagious Interview: How Fake Job Offers are Delivering Malware

In the modern job market, LinkedIn has become the primary hunting ground for recruiters and professionals alike. However, this openness has created a lucrative opportunity for cybercriminals. A recent account from developer ashishb reveals a disturbing trend: attackers are posing as recruiters or founders to lure experienced engineers into "technical advisor" roles, only to use the interview process as a delivery mechanism for sophisticated malware.

This is not a simple phishing link; it is a targeted social engineering attack that leverages the professional trust and curiosity of developers to bypass traditional security perimeters.

Anatomy of the "Technical Advisor" Scam

The attack pattern follows a consistent script designed to build rapport before delivering the payload. In two separate incidents, the victim was approached on LinkedIn with an offer to join a project as a technical advisor. The process typically unfolds in three stages:

1. The Hook: A professional-looking profile reaches out with a high-status offer (e.g., a Web3 project advisor). This appeals to the target's expertise and ego.
2. The Validation: The attacker schedules a meeting, shares Figma mocks to prove the project is "real," and establishes a sense of legitimacy.
3. The Payload: The attacker shares a link to a code repository (GitHub or Bitbucket) and insists that the candidate clone the repo locally and run it to "evaluate" the code or provide feedback during a live screen-share.

Technical Breakdown: How the Malware Works

Once a developer clones the repository, the attackers use several vectors to ensure the malware executes, often without the user ever explicitly running a "start" command.

Vector 1: The npm install Trigger

Many developers instinctively run npm install to set up a project. Attackers leverage the prepare lifecycle script in package.json. By adding "prepare": "node server/server.js", the malware executes the moment the dependencies are installed, bypassing the need for the user to manually start the application.

Vector 2: VS Code Auto-Execution

One of the more insidious methods involves the .vscode/tasks.json file. Attackers can configure a task with "runOn": "folderOpen". When a developer opens the folder in VS Code, the editor automatically executes a shell command—such as a curl or wget request—that downloads and runs a malicious script from a remote server (C2).

Vector 3: Remote Code Execution (RCE) and Exfiltration

Once the initial script runs, the malware typically establishes a backdoor. In the analyzed cases, the code performed the following:

• Environment Exfiltration: The malware reads process.env and POSTs all secrets (AWS keys, Stripe keys, JWT secrets) to a Vercel-hosted API.
• Dynamic Payload Loading: The server communicates with a Command and Control (C2) server, which sends back a string that is then executed using new Function() or eval(), allowing the attacker to run arbitrary code on the victim's machine in real-time.

Red Flags and Defense Strategies

Identifying these scams requires a combination of technical skepticism and social awareness.

Social Red Flags

• The "Web3" Lure: As noted by the community, offers for "Web3 technical advisors" are currently high-risk indicators, as the sector is frequently targeted by state-sponsored actors (such as the Lazarus Group) to steal cryptocurrency.
• Lack of Formalities: Be wary of anyone who asks you to run code before signing an NDA or being formally onboarded into an organization.
• Pressure to Run Locally: If an interviewer insists you clone a repo and run it on your local machine while screen-sharing, rather than reviewing the code in a browser or a sandbox, treat it as a critical warning sign.

Technical Safeguards

To protect your machine, adopt a "Zero Trust" approach to third-party code:

• Use Cloud IDEs: Tools like GitHub Codespaces provide a disposable, isolated environment where you can inspect code without risking your local OS.
• Sandbox Everything: Never run npm install or execute binaries on your host machine. Use Docker containers or dedicated virtual machines (VMs) to isolate the execution environment.
• Analyze Before Installing: Before running any install command, inspect package.json for suspicious lifecycle scripts (preinstall, postinstall, prepare) and check for unusual .vscode configurations.

As the attackers become more sophisticated, the line between a legitimate technical assessment and a security breach continues to blur. The best defense is a disciplined workflow: assume all unverified external code is malicious until proven otherwise in a secure, isolated environment.