🚨 WARNING TO DEVELOPERS: A new wave of “technical test scams” is targeting devs — and it's getting more sophisticated
Over the past few months, several developers — including myself — have been targeted by a scam involving fake technical tests sent by “recruiters.”
People like Allan Lancioni, João Pessoa, and Muhammad Ramadhani have already documented identical attacks. Their posts are MUST-read.
This is not theoretical.
It’s real. It’s happening now.
And yes — it almost happened to me this year.
🔥 How the scam works (same pattern every time):
- A “recruiter” (sometimes pretending to be a CEO/HR) contacts you.
- The job looks amazing — above-market salary, remote position, paid in USD, etc.
- They ask for your CV and GitHub.
- They say you’re “approved for the next stage” without any real interview.
- Before the call, they send you a codebase to review or modify as a “technical test.”
And that’s where the attack kicks in.
Running the project executes a malicious script hidden inside the dependencies, allowing remote code execution and giving the attacker access to your machine — especially to browser wallets and local credentials.
🧨 Real cases from the community
👉 Allan Lancioni
He reverse-engineered an actual attack.
The project contained scripts that enabled code injection and crypto-wallet theft.
His post (highly recommended):
https://www.linkedin.com/pulse/como-identifiquei-um-golpe-em-teste-t%C3%A9cnico-an%C3%A1lise-real-lancioni-kcyac/
👉 João Pessoa
He received a suspicious repo as a “technical test.”
In the package.json he found:
-
fs@0.0.1-security(placeholder inserted when a malicious package is removed) -
execp@0.0.1(malicious package designed to execute arbitrary commands) -
request(deprecated + vulnerable) - A remote-code-execution script hidden in
dark.min.jsusingatob+eval
His post:
https://www.linkedin.com/in/jppessoa/
👉 Muhammad Ramadhani
Received an almost identical project with the same malicious dependencies.
His warning went viral in the Web3 community.
Profile: https://www.linkedin.com/in/ramadhvni/
⚠️ And my personal case?
Yes — they tried this with me too.
The red flags:
- The company claimed to be “X”, but the recruiter used a gmail.com address.
- The repo had zero relation to the company name.
- The project involved crypto (again, same pattern).
- The code structure was suspicious.
- They pushed me to run the project before any technical call.
The repo I received:
👉 mega-org99/Coinpromoting_dApp
Allan even replied saying the repo he received was extremely similar:
👉 megaorg991/tokentradingdapp
Same structure.
Same dependencies.
Same modus operandi.
Probably the same group.
My intuition kicked in — and I dropped the process immediately.
Better to lose a “job opportunity” than compromise my machine, accounts, and data.
🛡️ How to protect yourself (practical checklist):
✔️ 1. NEVER run npm install, yarn, or pip install on unknown projects.
Open the dependency files first.
Look for suspicious packages, single-version modules, weird names, etc.
✔️ 2. Be skeptical of any test sent before a real conversation.
Scammers skip interviews — they push codebases.
✔️ 3. **Check the recruiter’s email and company domain.
Gmail = Red Flag.**
✔️ 4. Ask for a technical explanation of the project.
Scammers avoid calls.
✔️ 5. Use ChatGPT to analyze suspicious code.
Paste dependencies → it will flag malicious patterns instantly.
✔️ 6. If an offer seems too good to be true… it probably is.
High salary + “easy test” + no interview = scam formula.
🚨 Final reminder: This isn’t paranoia — it’s protection.
Scammers target developers because:
- devs run code
- devs store SSH keys, API tokens, environment secrets
- devs often have corporate access
- devs trust “technical tests” too easily
- devs working with Web3/crypto are especially vulnerable
If something feels off, walk away.
Your instinct is a security tool.
Stay safe. Audit everything. Trust nothing blindly.
Top comments (0)