Imagine getting an offer for your dream job, but handing over your computer to a hacker in the process.
This isn’t a plot from a cybersecurity thriller. It’s the reality of a growing threat in the digital recruitment space, where job scams have evolved from phishing emails to full-blown remote code execution attacks disguised as technical assessments. We invited Akim Mamedov, a CTO to share his experience and recommendations.
***
For quite some time there were rumors that a new type of scam emerged in hiring, especially in platforms like LinkedIn. I didn’t pay enough attention until I encountered this scam scheme personally.
The truth is that almost every scam relies on social engineering, e.g., to lure a person in performing some action without paying enough attention. This kind is similar, the desired outcome is running malicious code on the user ‘s computer. Now let’s dive deep in the details and explore how the schema works and how bad guys attempt to do their dirty business.
After surfing on LinkedIn I’ve received a message from the guy about an interesting job offer. He described the role in detail, promised a good salary and was actively asking for my attention.
Before switching to Telegram I checked the profile of the guy and it looked pretty decent – good working experience, extensive profile information, linked university and company where he supposedly works.
After proceeding to telegram we decided to schedule a call.
On the call, I had a chance to see him in person – it was an Indian guy with a long beard. I hadn’t opportunity to take screenshots because he immediately turned his camera off. This is when it started to look suspicious as hell so I’ve started making screenshots of everything.
He asked a couple of quick questions like tell me about a project and confirm that you’ve worked with this and with that. At the end of the call he said that there is still a small test task which I have to solve and then they will hire me.
That’s where the interesting part begins. I’ve opened the archive and started checking the code.
Meanwhile I’ve messaged a couple of questions to HR so he got the feeling that i’m aware about the malware and deleted messages in telegram and linkedin. Now let’s focus on what the code does.
From the first glance, it’s a simple javascript backend project.
But what @el3um4s/run-vbs and python-shell does inside this simple js test task?
After quick search of usages i’ve found a file where this package is actually used
There are 2 files – one for Windows OS and the other for any other OS with python installed. Let’s check one with python code.
Inside the file with python code we have a script which collects some computer information and sends it to the server. Response from that server could contain instructions which go directly to the exec() function thus executing arbitrary code in the system. This looks like a botnet script which keeps an endless connection to the attacker server and waits until the server responds to perform some actions. Needless to say that running this script means passing your system to an attacker thus allowing reading sensitive data, tinkering with OS services and utilizing computer resources.
This is the opinion of ChatGPT regarding the code in that file.
The impact of this scheme could possibly be big enough to infect thousands of computers. Sure there are a lot of arrogant developers who consider this test task too easy for spending more than a couple of minutes and will try to finish it fast. Junior developers are at risk too – lured with high salaries and non-demanding job descriptions, they will run the project without properly understanding it.
In conclusion, be mindful of the code you’re trying to run, always check any source code and script you’re running.
This is a chilling reminder that social engineering isn’t just about phishing anymore – it’s evolving into technical manipulation. Developers, especially juniors, need more awareness training, not just on coding but on what not to trust.
Would love to see GitHub or security communities start a repository of known scam code patterns – like a “virus signature” for job scams.
Thanks for sharing this experience, Akim. It’s terrifying how polished and believable these fake HR profiles are. The human layer of cybersecurity is clearly the weakest link and the most targeted.
We often assume that tech assessments are a safe, routine part of hiring. But this shows that even a .zip file from someone claiming to be HR can be a trojan horse. I strongly believe that cyber hygiene needs to be part of onboarding, even before you’re hired!
The scariest part? This scam is so personalized and convincing – video call, detailed job description, tailored test – it bypasses all the red flags we’ve been taught to look for. Time for new playbooks.
A great reminder: never trust code you didn’t write or audit. Even if it comes from “HR”
ikr? This is next-level social engineering. They’re not phishing for your data anymore – they’re deploying remote code via your curiosity and ambition. Harsh, but real.
Imagine how many others just double-click and hope for the best. We need to normalise code paranoia in job assessments.
Ironically, one of the best signs of a scam was the camera being turned off. A real recruiter or hiring manager would want to build rapport, not hide behind a profile picture. Always trust your gut.
I think platforms like LinkedIn need to start proactively flagging or auditing unusual recruiter activity. This isn’t just a user problem – it’s a systemic trust issue.
A great example of why soft skills matter in engineering. Curiosity, skepticism, and attention to detail saved Akim here – not just coding ability.
Sad but true: scammers now understand developer psychology better than many companies. They craft job offers that speak to ego, urgency, and reward. Awareness is our only shield.
One small recommendation for everyone: use a virtual machine or sandbox environment for any external test tasks. Treat job tests like they’re unknown USB drives. Take care
What I found most insightful is how the scam targeted both technical vulnerability and emotional vulnerability – desire for a better job, a fast-track offer, a good salary. That’s precision manipulation.
This story reminds me of the “USB drop” social engineering tactics – except now it’s digital, and on LinkedIn. We’ve upgraded the scam vector, but not the defenses.
Can we start teaching this in bootcamps? The scams aren’t theoretical. This is real-world threat modeling developers aren’t being prepared for.
This also raises another issue: companies must start signing their test code or hosting it on verified repositories. We need a standard to verify code legitimacy during hiring.
Scammy HR was a meme; now it’s malware. This story should be required reading for anyone applying for jobs in tech or frankly, anyone working remotely.
The fact that this attacker mimicked the entire hiring process from LinkedIn outreach to video call shows how low the barrier to launching sophisticated scams has become. They’re playing the long game. Be careful!
The attackers here used technical fluency to simulate credibility. It’s a sharp reminder: being “techy” doesn’t mean being trustworthy. Code doesn’t lie, but people do.
Years ago, I received a “test assignment” for a machine learning position that included an R package. Everything seemed legit until I ran it on a fresh cloud instance – the package silently installed a keylogger. I only caught it because the instance usage spiked afterward. Imagine if that had been my personal laptop.
An intern on our team nearly fell for this last month. She shared a “test archive” with us to review and we noticed hardcoded external IPs and a shell script trying to access /etc/shadow. It was a close call. She thought she had to impress the recruiter by acting fast. Instead, she almost gave up root access.
A friend of mine actually went through something similar last year. He was given a “performance test” for a remote React developer job. Inside the zipped repo was a script that asked for elevated access, supposedly to run test servers locally. Luckily, he asked a mentor to review it first — turns out it was a modified miner script designed to run silently in the background.
We need security primers designed specifically for freelancers and job seekers. Not all cyber threats target businesses – some go after your job search.
At my old dev community in Berlin, we once discovered that a fake fintech startup was using job test assignments to crowdsource free work. Candidates thought they were completing challenges for interviews, but it was really production code for their MVP. Not as dangerous as malware but still predatory. verdict: Always trace the repo origin and ask why this test matters.