DEV Community

Cover image for Fake Job Offers Are Turning GitHub Repos Into a Trap
Alexander Selorm Kubi
Alexander Selorm Kubi

Posted on

Fake Job Offers Are Turning GitHub Repos Into a Trap

#softwareengineering #cybersecurity #github #security

A new scam is hitting developers with fake job offers and malicious GitHub repos. Here's what you really need to know to stay safe.

The Perfect Setup

Picture this: you get an email/linkedin message about a cool new developer job. Great pay, interesting tech stack, remote work. They want you to do a quick coding challenge to prove you're not a total noob. Seems legit, right?

Wrong! This exact scenario is currently being used to hack developers all over the world. Security researchers (the likes of Kaspersky on GitVenom) have found multiple fake job campaigns like this.

How They Get You

The Fake Job Offer

It starts innocently enough with old-school social engineering: Someone reaches out about a job opportunity. Could be through email, LinkedIn, or any other platform. The role sounds perfect for your skills, the pay is attractive, and hey, who doesn't want new opportunities?

Here's the kicker: they want you to complete a "coding challenge" to prove you can handle the work. Totally normal in our industry, right? Except this time, you're about to download malware that'll steal everything from your SSH keys and passwords to your bank information (if you saved any).

The Legit-Looking Repo

Once you’re hooked, they send you to a GitHub repo. It looks totally normal. We're talking full-blown applications with:

  • Proper folder structure (frontend, backend, configs)
  • A normal-looking package.json with real dependencies
  • Detailed README with setup instructions
  • A believable commit history

But hidden inside? Pure trouble.

The Trap Hiding in Plain Sight

Here's where things get really scary. The malicious code is hidden so well that even experienced developers are likely fooled. They're using techniques like:

Base64 Ninja Tricks: All the sketchy function names and file paths are encoded in base64. You literally can't see what they're doing until the code runs.

Fake License Files: One example had malware hidden inside what looked like a totally normal MIT license file. Who checks license files for malware :D?

Dependency Poisoning: They take legitimate npm packages or Python modules and inject malicious code, then include those in the project.

Runtime Activation: The malware only fires up when you actually run the app with npm start or whatever.

The Damage: It's Worse Than You Think

Let's talk numbers because they're absolutely wild:

  • GitVenom alone: 200+ malicious repos over two years
  • Money stolen: Almost $500K just from crypto wallets (that we know of)
  • Global victims: People getting hit in Russia, Brazil, Turkey, everywhere
  • Still active: New fake repos pop up regularly

What They're After (Spoiler: Everything)

When this malware runs, it's not just grabbing your browser passwords. It's going full scorched earth on your digital life:

Your Money

  • Crypto wallet keys and seed phrases
  • Any blockchain stuff stored in browsers
  • They even watch your clipboard to swap crypto addresses when you copy/paste

Auth stuff

  • SSH private keys (yes, all of them)
  • Saved browser passwords
  • Cookies from sites where you're logged in
  • Your entire macOS Keychain if you're on Mac

Your Personal Stuff

  • Browser history
  • Downloaded files
  • Screenshots of your desktop
  • Basically anything they think might be valuable

Possible Backdoor Access

  • Remote control of your machine
  • Keylogger to capture everything you type
  • Ability to mess with your files
  • Network access to spread to other systems

Red Flags That Should Make You Nope Right Out

The Job Offer Itself

  • Unsolicited opportunities that sound too perfect
  • Pressure to complete tasks ASAP
  • They want you to download and run code as part of the "interview"
  • Only communicating through email/chat (no video calls)
  • Vague company details

Technical Red Flags

  • Tons of base64-encoded garbage scattered around
  • Files that are included but never actually used
  • The README says one thing but the code does something totally different
  • Massive minified JavaScript files in weird places
  • Dependencies that make zero sense for the project

The Account/Repo

  • Brand new GitHub account with barely any history
  • Fake contributors
  • Multiple similar projects from the same sketchy account
  • Fork chains that lead back to accounts with nothing legitimate

How to Protect Yourself

Don't Be an Easy Target

Verify Everything

  • Look up the company independently; don't just trust the email
  • Find the job posting on their official website
  • Demand a video call and ask detailed questions about the company
  • If it sounds too good to be true, it probably is

Isolation Is Your Friend

  • Use VMs, containers, or GitHub Codespaces for testing sketchy code
  • Keep your personal and work environments completely separate
  • Have a dedicated "testing" machine/user account/sandbox that you don't care about

Review Everything

  • Look at all files, even the boring ones.
  • Check for weird imports or obfuscated code.
  • If there's minified JavaScript, be extra paranoid
  • Make sure dependencies actually match what the project claims to do

Stay Secure

  • Keep everything updated (OS, security software, the works)
  • Monitor your processes and network traffic.
  • Back up your important stuff regularly

If You're Running a Team

Education Is Everything

  • Train your devs about these specific threats
  • Have clear policies about external code
  • Plan for how to respond if someone gets compromised.

Technical Safeguards

  • Monitor network traffic for weird outbound connections
  • Check external repos before running them.
  • Keep dev environments isolated

Why This Matters for Everyone

These scams don’t just hit individuals — they mess with the entire open-source world. When we can’t trust code or communities, we all lose.

And these attackers are just getting started. Next we'll probably see:

  • AI-generated code that's even harder to spot as malicious
  • Deepfake videos for "video interviews"
  • Attacks that spread to cloud infra or CI/CD pipelines

What's Being Done About It

The good news is people are fighting back:

GitHub and Others

  • Removing flagged repos.
  • Better automated detection for suspicious patterns
  • Stricter verification for new accounts
  • Improved reporting tools

Security Researchers

  • Companies like Kaspersky and Check Point are all over this
  • Threat intel gets shared with the whole industry
  • Sharing intel across the security community

Bottom Line: Stay Paranoid (In a Good Way)

Fake job offers + malicious GitHub repos = a nightmare for developers. These scams work because they exploit our trust, curiosity, and drive to land better gigs.

The good news? Just knowing this trick exists makes you way harder to fool.

The most important thing to remember: If someone wants you to download and run unknown code, especially under time pressure, be careful.

Here's what you should do right now:

  1. Share this info with your team/friends
  2. Set up proper isolation for testing unknown code

Stay safe out there, and remember: if it feels sketchy, it probably is.

Sources:

Top comments (0)