Computer programmers and web developers are facing a dangerous new wave of cyberattacks that use “test projects” and Fake Job Interviews as a front for malware. Security researchers have uncovered a massive operation where hackers create fake software repositories that look like legitimate coding assignments. When an unsuspecting developer downloads the project to show off their skills, they are actually opening a back door for criminals to take over their entire system.

This clever scheme is designed to slip right into a developer’s daily routine. Because programmers are constantly downloading code and running local servers, they are less likely to notice when a “job assessment” starts acting suspiciously. Microsoft and other security firms have traced these attacks back to groups with ties to North Korea, who are increasingly focusing on the tech sector to steal secrets, passwords, and cryptocurrency.

Three Sneaky Ways Your Code Turns Against You

The hackers have developed three main ways to infect a machine, all of which happen behind the scenes without the user ever seeing a “virus found” warning. The first method targets people who use Visual Studio Code, a very popular tool for writing software. The hackers configure the project so that as soon as a developer opens the folder and clicks “trust,” the software automatically reaches out to the internet to download and run malicious code.

The second method is even more devious because it happens during the build process. Most modern web development requires running a command like “npm run dev” to see your work. The attackers hide their malware inside fake versions of common libraries, like jQuery. When the developer starts their local server to check their progress, the computer quietly fetches a hidden payload and runs it directly in the system’s memory. This makes it incredibly hard for traditional antivirus software to find because there is no “evil file” sitting on the hard drive to scan.

The third trick involves the backend of the application. If a developer tries to launch the server side of the project, the malware immediately scans the computer’s environment variables. This is where sensitive information like API keys and passwords are often stored. The malware steals this data and sends it to the hackers, who then send back more commands for the computer to follow.

A Global Enterprise of Fake Identities

This isn’t just a few random hackers; it is a highly organized business. Reports from GitLab and other platforms show that these attackers operate like a professional corporation. They use hundreds of fake accounts, often using stolen or generated photos to pass through initial job screenings. Some of these “IT workers” have reportedly earned over $1.6 million by landing temporary contract jobs or stealing from the companies that interviewed them.

The groups are also getting better at hiding their tracks. Instead of using the same web addresses over and over, they are now using legitimate services like GitHub Gists, Google Drive, and even blockchain technology to store their malicious instructions. By hiding their code inside an NFT or a simple text file on a trusted site, they ensure that their “phone home” signals look like normal web traffic that a company firewall would never block.

How to Stay Safe in the Interview Process

The goal of these attacks is almost always the same: to get a foothold inside a company’s network. Once a developer’s laptop is compromised, the hackers can move through the rest of the company to find customer data, source code, or financial accounts. Because these actors are becoming more skilled at passing interviews and crafting believable personas, companies are being urged to change how they hire.

Security experts recommend that developers never “trust” a project in their code editor unless they have manually checked the configuration files first. Companies are also encouraged to use isolated “sandbox” environments for technical tests so that even if a project is malicious, it cannot touch the rest of the network. As the “natural selection” of these hackers continues, only the most prepared and skeptical developers will stay safe from this evolving digital trap.