A "recruiter" messaged me on LinkedIn a few weeks back. Good profile, real-looking company, a Web3 role that paid well. We got to the part every developer knows: a small take-home task. Clone this repo, run npm install, get the demo working, send it back by Friday.
I didn't run it. Not because I'm smart, but because I've seen where that ends. And the ending is worse than most people think: you don't get a job, you get your wallet emptied.
This is now one of the most active supply-chain attacks aimed at our industry, and it targets crypto and Web3 developers on purpose. Researchers call it Contagious Interview. It's run by North Korean state actors, and in a single recent month they pushed close to 200 malicious npm packages, downloaded more than 31,000 times before anyone caught them. Microsoft, Socket, and Trend Micro have all published on it in 2026. If you write Solidity or ship dApps for a living, you are the intended victim.
How it actually works
The setup is boring on purpose, because boring is convincing.
First contact looks like normal recruiting. A message on LinkedIn, sometimes a whole fake company with a website and a multi-step interview. Nothing feels off, because nothing is off yet.
Then comes the test task. You're asked to clone a repo from GitHub, GitLab, or Bitbucket and get it running. The moment you run npm install, a hidden script in the package pulls down a second payload. A newer version of the trick skips npm entirely: you open the project in VS Code, it asks you to "trust the repository author," you click yes, and VS Code runs a task file that fetches the backdoor for you.
That payload has a name in the reports: BeaverTail, paired with an infostealer called OtterCookie. Once it's on your machine it goes straight for what matters. It reads your clipboard, logs your keystrokes, takes screenshots, and crawls your files for browser credentials, documents, wallet data, and seed phrases. Then it ships all of it to a server the attacker controls. Some of the newer infrastructure even stages payloads on-chain (Tron, Aptos, BNB Chain) so it can't be taken down the usual way.
If your hot wallet or your seed phrase lives anywhere on that laptop, it's gone in minutes. No exploit in your smart contract required. They just walked in through your terminal because you were being a normal, helpful candidate.
Why us specifically
Regular developers get their npm token stolen. We hold keys to money. A crypto dev's laptop often has a browser wallet, a testnet wallet with real habits, private keys in a .env file "just for now," maybe a hardware wallet that's currently plugged in. That's the whole point of targeting this niche. The payoff is direct.
How to spot it
A few things that should make you stop:
The task pushes you to run code fast, locally, on your own machine, and it's oddly specific about installing dependencies before you've even read anything.
The repo has a package.json with install scripts, obfuscated strings, or a suspicious postinstall step. Real take-homes rarely need to phone home during setup.
The recruiter resists a quick video call, or the "company" has a website that's a month old with no real footprint.
None of these alone proves an attack. Together they're a pattern worth trusting.
How to not get caught
This is the part I actually care about, because the fix is not complicated.
Never run a stranger's code on the machine that holds your keys. That's the whole rule. Everything below is just how to follow it.
Run take-home tasks in a throwaway environment: a VM, a container, or a spare machine that has no wallets, no seed phrases, no real credentials on it. Read the code before you run anything, and look at package.json for install and postinstall scripts first. If a coding test needs network access during npm install, that's a question, not a green light.
Keep your keys off your dev laptop entirely. Hardware wallet for anything with value, and a separate signing setup you don't casually plug in. If a machine ever touches untrusted code, treat any key that was on it as burned.
At Chainwright this is just how we work. Every external repo is untrusted until proven otherwise, installs run isolated, and keys never sit on a machine that runs other people's code. Not because we're paranoid, but because in this space one careless npm install is the difference between shipping a product and explaining to your community where the treasury went.
Stay sharp out there. The next "great opportunity" in your inbox might be exactly that, or it might be someone who spent a week building a fake company just to watch you type npm install.
— Hana, Chainwright
Top comments (0)