今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

How a Fake Job-Interview Repo Tried to Steal My Keys (and How I Caught It)

Pavel Espitia 2026年06月04日 02:50 3 次阅读 来源:Dev.to

The message looked completely normal. A recruiter, a short pitch, a "take-home challenge" hosted on GitHub. Clone it, run npm install , get the dev server up, build a small feature, send it back. Standard stuff. I have done a dozen of these. This one was trying to steal my wallet keys and browser session data before I ever wrote a line of code. It did not hide the malware in the app. It hid it in the build tooling. That is the whole trick, and it is the reason a lot of experienced developers get caught. You read src/ , it looks fine, so you trust it. Nobody reads the lockfile. Nobody reads the postinstall script. That is exactly where the payload lives. Here is the full teardown: what the lure looks like, the exact red flags, how I investigated it without running it, and the defenses you should adopt today. The setup: Contagious Interview This is a known campaign. Security researchers track it as "Contagious Interview," attributed to North Korea-aligned actors. The pattern is consistent: You get contacted about a job, often blockchain or full-stack, often with a salary that is a little too good. You are given a code repository to clone and run as a "technical assessment." The repo runs malicious code at install or build time, not at runtime. The payload pulls a second-stage downloader, grabs your environment variables, crypto wallet files, browser-stored credentials, and keychain data, then exfiltrates them to a remote host. The genius of it is the framing. A normal developer reflex when running untrusted code is "I will read the code before I trust it." But you read the application code. You do not read what npm install does, because npm install is something you run a hundred times a week without thinking. Red flag 1: a postinstall script that does not belong The first thing I do with any unfamiliar repo is open package.json and read the scripts block. Specifically, I look for lifecycle hooks: preinstall , install , postinstall , prepare . These run automatically w

本文内容来源于互联网,版权归原作者所有
查看原文