SlowMist|Jul 18, 2026 07:26
🚨 Threat Intelligence | Fake Recruitment Campaign Delivers Malware via GitHub Repository
MistEye recently detected a malicious campaign targeting developers through fake Web3 recruitment.
Attackers impersonated recruiters on LinkedIn, built trust through discussions about work experience and interviews, then sent a GitHub repository disguised as an “interview MVP” and tricked developers into running the project.
Our analysis found that the malicious repository hid theme/js/auron-core.min.js as a Tailwind plugin. When developers ran the project’s development or build commands, the hidden Node.js loader was triggered and deployed multiple payloads for:
🔹 Browser credential & wallet data theft
🔹 Sensitive file collection and exfiltration
🔹 Remote command execution and interactive Shell access
🔹 Clipboard monitoring
This campaign shows how trusted development workflows can become attack vectors. Developers should always inspect project scripts, dependencies, and build configurations before running unknown repositories.
Full analysis👇
https://slowmist.medium.com/threat-intelligence-analysis-of-a-github-poisoning-attack-disguised-as-recruitment-30fe23601305?sharedUserId=slowmist(SlowMist)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink