How a Fake Job-Interview Repo Tried to Steal My Keys (and How I Caught It)

The message looked completely normal. A recruiter, a short pitch, a "take-home challenge" hosted on GitHub. Clone it, run npm install, get the dev server up, build a small feature, send it back. Standard stuff. I have done a dozen of these. This one was trying to steal my wallet keys and browser session data before I ever wrote a line of code.

It did not hide the malware in the app. It hid it in the build tooling. That is the whole trick, and it is the reason a lot of experienced developers get caught. You read src/, it looks fine, so you trust it. Nobody reads the lockfile. Nobody reads the postinstall script. That is exactly where the payload lives.

Here is the full teardown: what the lure looks like, the exact red flags, how I investigated it without running it, and the defenses you should adopt today.

The setup: Contagious Interview

This is a known campaign. Security researchers track it as "Contagious Interview," attributed to North Korea-aligned actors. The pattern is consistent: