Skip to main content
Emerging Threats

Scammers Exploit Trust in Remote Job Interviews

Person sitting at laptop with neutral expression, hint of Zoom call on screen.

"They reassured me - and they did a good job - to get me to let my guard down, and just run the freaking code," said Boris Vujičić, describing a recruitment interaction that turned into a live intrusion on his laptop.

A convincing outreach: LinkedIn, a polished site, and a camera-on Zoom call

Vujičić, a web developer based in Serbia, received a LinkedIn message from a recruiter claiming to represent a blockchain firm called Genusix Labs. The outreach looked routine: a company LinkedIn profile, a seemingly normal website with a "Leadership Team" and matching headshots, and an initial HR interview conducted on camera over Zoom by an employee named Zam Villalon. Vujičić said the call "didn't look like a cheap deepfake" and that the participant's English and manner felt natural.

He told The Register he is no stranger to recruitment scams — he receives such messages daily and once got eight in a single day — and that he previously worked for Step Finance before a breach and a subsequent $40 million cryptocurrency heist shuttered that decentralized-finance business earlier this year.

The live-coding test that dropped a backdoor

After a second-round technical interview with two engineers — one of whom also appeared on the company's website — he was offered a live-coding test. The interviewers even said, "Feel free to look for backdoors." That reassurance helped convince him to run the provided code in his environment.

When Vujičić executed the test, a macOS popup appeared: "patch[.]sh wants to run as a background process." He ended the interview, disconnected his Wi‑Fi, and began searching his system for the offending script. He found a shell script named camdriver[.]sh inside a temporary camera-driver folder.

What the malware did in 56 seconds

Vujičić described the attack as "very sophisticated" and wrote that the malicious package was "hidden inside a dependency of a dependency." The shell script executed silently, checked the machine's CPU architecture, and then downloaded a matching payload. It also configured itself to restart at boot.

The downloaded payload was a backdoor written in Go that used a custom RC4‑encrypted protocol. Vujičić reported the backdoor included commands for shell execution, file theft, Chrome password extraction, macOS Keychain exfiltration, and crypto‑wallet targeting. He stopped the scripts and manually removed files, but in the 56 seconds the code ran before he cut connectivity the attackers collected 634 saved Chrome passwords, his macOS keychain, and his MetaMask wallet data.

Afterward he changed all his passwords, and he told The Register the digital thieves "didn't steal any of his crypto." Vujičić also said, bluntly, "Every saved password - banking, email, GitHub - was readable on their end."

Reporting, attribution, and links to earlier incidents

Vujičić reported the fake GitHub repository to npm and GitHub, the Genusix profiles to LinkedIn, the domain to HostGator, and the IP address to AbuseRadar. He forwarded logs and artifacts to incident responders at zeroShadow, who had previously investigated the Step Finance breach. According to Vujičić, zeroShadow believes North Korean government‑linked attackers were behind both the earlier compromise of Step Finance and the recruitment scam that targeted him, noting the same code and tactics were used in both incidents.

What this means for developers, platform providers, and affected enterprises

  • Developers and security teams: The attack exploited a common hiring ritual — live-coding tests — and concealed code inside a nested dependency. Developers will want to scrutinize remote test workflows, sandbox execution, and dependency chains before running unvetted repos locally.
  • Platform providers (GitHub, npm, LinkedIn, hosting services): Fake company profiles, repositories, and domains were part of the lure. Providers will be expected to act on reports quickly and to consider signals that link recruitment activity to known malicious code or to other breached entities.
  • Enterprises in crypto and DevOps: Vujičić warned of a plausible escalation path where attackers hire developers, onboard them into Slack or Discord, deliver "fake onboarding documents" and then push a malicious task — a sequence that could enable credential theft, drained wallets, infected registries, and compromised CI/CD pipelines.

Vujičić told The Register he felt shame at having been tricked, but also admiration for the authors of the malware: "The script is very sophisticated and beautiful - I like the code," he wrote. The episode underscores a shift in tactics: attackers folding social engineering into recruitment workflows and pairing it with well-crafted, architecture-aware malware. As he put it, the non‑pushiness of the scammers — offering an alternative online editor when he hesitated — was itself part of the deception that led him to run the code.

The practical takeaway is blunt: credential stores and wallets can be exfiltrated in under a minute if attackers get code execution and a foothold, and the vectors now include the rituals of hiring itself. Who will be ready when the next recruitment becomes the first stage of a supply‑chain compromise is the open question left by Vujičić's experience.

Original story at The Register