Developers Beware: This Fake LinkedIn Interview Campaign is Targeting YOU (And Your SSH Keys)

If you are a backend developer, DevOps engineer, or work in the Web3/Crypto space, you need to read this immediately.

There is a sophisticated, ongoing cyberattack campaign targeting developers on LinkedIn. The attackers pose as enthusiastic co-founders or recruiters, lure you through a fake vetting process, and then deploy devastating malware by convincing you to download and run their "company MVP" code.

I recently encountered this exact scenario, and thanks to a healthy dose of suspicion, I avoided a massive security breach. Here is exactly how the scam works, the anatomy of the conversation, and the red flags you must look out for.

The Anatomy of the Scam

The "Contagious Interview" campaign, as security researchers call it, is a masterclass in social engineering. It follows a distinct pattern designed to build trust before the final payload.

Phase 1: The Initial Hook

It starts with a connection request or a cold InMail from someone who appears to be a legitimate founder or technical recruiter (often with a polished profile and shared connections).

The conversation starter:

"Hi, It’s a pleasure to meet you. We’re developing an exciting project and would be happy to explore potential collaboration with you."

It’s generic, positive, and flattering. They often target people who look like ambitious "go-getters" on GitHub.

Phase 2: Building Legitimacy and the "Vetting" Process

When you show interest, the attacker moves quickly to make the process seem structured. In my case, they immediately shared a generic Google Doc containing job descriptions and asked me to review it.

"Please find the job description below for your review: [Google Doc Link] I’d appreciate it if you could let me know which role best aligns with your skills."

This achieves two things for the attacker:

1. It looks like a real HR process.
2. It narrows down exactly what kind of tools and languages you use (e.g., if you choose the Backend role, they know you likely have NPM, Python, or Docker installed).

In my scenario, once I expressed preference for a backend role, they continued the standard interview dance, asking for my resume. I provided my GitHub resume link.

Phase 3: The "MVP Review" Trap

This is the critical turning point. Once they have engaged you and "accepted" your resume, they spring the trap. They offer to share their project’s Minimum Viable Product (MVP) and ask you to review the code before the interview.

"Here is the MVP version of the project: https://github[.]com/metabyte-org/NitroGem"

The accompanying request sounds like a standard take-home test, but it’s a setup:

Before our meeting, I’d appreciate it if you could:

• Review the current MVP implementation
• Understand how project listing, voting, and featured promotions function
• Consider opportunities to improve UX...

STOP RIGHT HERE.

No legitimate company will share their entire, proprietary source code repository with an unvetted candidate before a single preliminary phone screen. This is the moment I knew something was wrong.

What Happens If You Clone the Repository?

The GitHub repository is a Trojan horse. While it might contain actual code (often stolen from other legitimate projects), it is heavily obfuscated with malware.

The attacker is relying on your initiative. As a developer, the first thing you are likely to do after cloning the repo is try to build and run it locally:

npm install
npm start
# OR
pip install -r requirements.txt
python setup.py install

The moment you run these commands, you are compromised.

This specific campaign uses malicious code (often named BeaverTail or InvisibleFerret) cleverly hidden within:

• package.json post-install hooks.
• Hidden dependency files.
• Obfuscated scripts buried within legitimate-looking libraries.

The malware instantly executes in the background and begins aggressively harvesting your machine:

1. It steals SSH keys (~/.ssh/id_rsa).
2. It steals browser cookies and session tokens (allowing them to bypass 2FA on your email, banking, and LinkedIn).
3. It steals saved passwords.
4. It hunts for crypto wallets and browser-based wallet extensions.

Within seconds, the attackers can have access to your personal life, your professional accounts, and potentially your current employer's infrastructure.

Key Red Flags (Your Checklist)

1. Unsolicited Code Access: If anyone asks you to review or run an entire GitHub repository before a formal technical interview, it is a scam.
2. Skipping the Interview Process: Moving from "Nice to meet you" to "Here’s our entire source code" in 10 minutes is a massive anomaly.
3. The Web3/Crypto/Token Focus: While not all Web3 companies are scams, this campaign specifically uses the "Token/Crypto Listing" theme because it attracts developers with potentially valuable crypto assets on their machines.
4. Google Docs for Job Descriptions: Legitimate companies have formal careers pages or use LinkedIn/Indeed’s built-in tools. While a startup might use a Google Doc, use it as an indicator for extreme caution.
5. Obfuscated Files: If you are foolish enough to clone the repo, look at the code before running anything. If you see thousands of lines of base64-encoded garbage or weirdly named dependencies, delete it immediately.

My Conclusion

Your instincts are your best defense. I knew this process wasn't right, and I didn't run the code. You should do the same.

If you encounter a message like this on LinkedIn:

1. Do NOT clone the repository.
2. Report the LinkedIn profile immediately for fraud.
3. Block the account.

We are developers. Our tools and our machines are powerful, which makes them prime targets. Don't let your eagerness for a new opportunity make you a victim. Spread the word and keep your environment safe.