DEV Community

IkemHood
IkemHood

Posted on • Edited on

The Fake Job Listings That Was Just a Front for Pushing Malware - My Story

Introduction

As a freelance developer, I'm always keeping an eye out for potential new projects to take on. So when a friend reached out about an interesting blockchain gig they had seen, I was definitely interested.

The role involved building web apps with React and some blockchain integreation - right up my alley! Little did I know that would lead me down a rabbit hole of red flags and questionable technical “screening”.

Devs have to be selective about the clients we take on. But we don't expect trouble from potential employers themselves. This bizarre scheme I uncovered taught me that job seekers need to be vigilant too.

I wanted to share my story as a cautionary tale about keeping your guard up. Especially when asked to run unknown code for an interview “test”. With so many unethical actors out there, we have to watch each other’s backs.

The Job Listing That Wasn’t What It Seemed

This whole shady situation started with a blockchain developer job listing a friend shared with me. It seemed pretty normal at first - they were looking for someone with React and blockchain development experience to work on web apps.

But the suspicious part was their instructions for “assessing candidates.” The listing included a Google Drive link and asked applicants to download the code, get it running locally, and send a screenshot of the app as proof before moving to the next interview stage.

screenshot of job request

In hindsight, this was clearly a ruse to get unsuspecting developers to run malware. But at the time, I didn't immediately think twice about it. I figured it was just a small technical challenge to evaluate skills before an in-depth interview.

So I downloaded the linked codebase and started reviewing it carefully, knowing anything from an unknown source should be vetted first. That's when the red flags popped up...

Red Flags Raised My Suspicions

Once I extracted the files, at first glance nothing seemed too out of the ordinary. Just a typical React project skeleton with dependencies in package.json. But having heard horror stories of malicious technical tests, I knew better than to just npm install and start building.

That’s when the first red flag popped up. I noticed this config.js file that was called from the package.json scripts:

Package.json file with malicious code trigger

Very odd place for configuration code. And sure enough when I opened it up, there was a mess of heavily obfuscated code full of encoding and encryption:

Malicious config file

My heartbeat quickened. Obfuscation like that is almost always a giveaway of malicious intent. Legitimate config has no reason to hide itself that way. It immediately became clear what was going on - this was malware disguised as an interview “test”.

Malware Designed to Compromise My System

My stomach turned as it set in how unethical this was. A potential employer looking to compromise my personal info and system security under the guise of screening me. Who knows what kind of data their malware aimed to extract had I naively installed and ran their code. Absolute violation of trust.

I took a deep breath and went into damage control mode. First step – to feed my curiosity, i copied the entire config.js code to chatgpt for analysis and possibly unwrapping it

Chatgpt remark on the malicious code

then i tried to ask chatgpt to see if it could show me what exactly the code was doing but it refused,

chatgpt refusing to decompile code on legality

Then i tried claude which was a little lenient to allow me have an overview of what was happening, it was obviosly what I expected

Claude's deconstruction of the malicoius code

Claude's deconstruction of the malicoius code

Claude's deconstruction of the malicoius code

Having understood what the malicious code was meant for, i went ahead to completely wipe both the codebase itself and any system I had unpacked it on. No point trying to debug such clearly malicious code. I wasn’t about to let my machine become their playground.

Next I considered reporting this behavior for such a blatantly unethical practice. But I quickly realized there was probably no point. They clearly knew what they were doing was wrong. Reporting them would likely accomplish nothing. Better to share my experience and help other developers spot similar red flags.

While an extremely unsettling experience, it was an important reminder to thoroughly vet technical screening tests during a job search. You have to be able to trust that employers have your best interests in mind.

Key Takeaways for Job Seekers

Since going through this sneaky malware scheme disguised as an interview test, I’m vigilant about technical assessments. Here are some key lessons I learned:

  • Look out for unnecessary obfuscation of code or implementation details - huge red flag.

  • Don't feel rushed into running unknown code for a test. Ask for more details if anything seems unclear.

  • Review tests in an isolated environment first, not your main system. Check for any suspicious network activity.

  • Get a second opinion from other developers if something seems off about a test.

  • Remember employers have no right to probe your personal data without consent.

  • Consider anonymously reporting unethical behavior to help protect others.

While most companies are ethical, it pays to be vigilant. You should feel empowered to question anything that doesn’t seem legitimate. Your skills speak for themselves - you don’t need to comply with shady tests. Prioritize your safety and code of ethics.

Conclusion

This experience with a malware “technical screening” left me rattled but also better prepared to identify red flags going forward. However, it worries me that more naive developers may fall victim to traps like this.

We all just want to build cool things with technology in an ethical way. Having to guard against potential employers is an unfortunate burden. My hope in sharing this story is that it will help shine a light on some deceptive practices that take place under the guise of job screening.

Devs, watch each other's backs out there. We have so much to contribute when given the chance. Don't let schemes like this undermine your potential. Prioritize openness, ethics, and safety in your job search. The right opportunities are out there.

Top comments (2)

Collapse
 
ekemezie profile image
Justice Ekemezie

This was an interesting read; thanks for sharing. The lesson for me is to look out for signs such as an unconventional way of sharing code.

The idea of sharing code with Google Drive, running the code, and sending a screenshot is not practiced in the industry.

A single red flag should get us to question everything.

Collapse
 
ikemhood profile image
IkemHood

True