As a freelance developer, I'm always keeping an eye out for potential new projects to take on. So when a friend reached out about an interesting blockchain gig they had seen, I was definitely interested.
The role involved building web apps with React and some blockchain integreation - right up my alley! Little did I know that would lead me down a rabbit hole of red flags and questionable technical “screening”.
Devs have to be selective about the clients we take on. But we don't expect trouble from potential employers themselves. This bizarre scheme I uncovered taught me that job seekers need to be vigilant too.
I wanted to share my story as a cautionary tale about keeping your guard up. Especially when asked to run unknown code for an interview “test”. With so many unethical actors out there, we have to watch each other’s backs.
This whole shady situation started with a blockchain developer job listing a friend shared with me. It seemed pretty normal at first - they were looking for someone with React and blockchain development experience to work on web apps.
But the suspicious part was their instructions for “assessing candidates.” The listing included a Google Drive link and asked applicants to download the code, get it running locally, and send a screenshot of the app as proof before moving to the next interview stage.
In hindsight, this was clearly a ruse to get unsuspecting developers to run malware. But at the time, I didn't immediately think twice about it. I figured it was just a small technical challenge to evaluate skills before an in-depth interview.
So I downloaded the linked codebase and started reviewing it carefully, knowing anything from an unknown source should be vetted first. That's when the red flags popped up...
Once I extracted the files, at first glance nothing seemed too out of the ordinary. Just a typical React project skeleton with dependencies in package.json. But having heard horror stories of malicious technical tests, I knew better than to just npm install and start building.
That’s when the first red flag popped up. I noticed this config.js file that was called from the package.json scripts:
Very odd place for configuration code. And sure enough when I opened it up, there was a mess of heavily obfuscated code full of encoding and encryption:
My heartbeat quickened. Obfuscation like that is almost always a giveaway of malicious intent. Legitimate config has no reason to hide itself that way. It immediately became clear what was going on - this was malware disguised as an interview “test”.
My stomach turned as it set in how unethical this was. A potential employer looking to compromise my personal info and system security under the guise of screening me. Who knows what kind of data their malware aimed to extract had I naively installed and ran their code. Absolute violation of trust.
I took a deep breath and went into damage control mode. First step – to feed my curiosity, i copied the entire config.js code to chatgpt for analysis and possibly unwrapping it
then i tried to ask chatgpt to see if it could show me what exactly the code was doing but it refused,
Then i tried claude which was a little lenient to allow me have an overview of what was happening, it was obviosly what I expected
Having understood what the malicious code was meant for, i went ahead to completely wipe both the codebase itself and any system I had unpacked it on. No point trying to debug such clearly malicious code. I wasn’t about to let my machine become their playground.
Next I considered reporting this behavior for such a blatantly unethical practice. But I quickly realized there was probably no point. They clearly knew what they were doing was wrong. Reporting them would likely accomplish nothing. Better to share my experience and help other developers spot similar red flags.
While an extremely unsettling experience, it was an important reminder to thoroughly vet technical screening tests during a job search. You have to be able to trust that employers have your best interests in mind.
Since going through this sneaky malware scheme disguised as an interview test, I’m vigilant about technical assessments. Here are some key lessons I learned:
Look out for unnecessary obfuscation of code or implementation details - huge red flag.
Don't feel rushed into running unknown code for a test. Ask for more details if anything seems unclear.
Review tests in an isolated environment first, not your main system. Check for any suspicious network activity.
Get a second opinion from other developers if something seems off about a test.
Remember employers have no right to probe your personal data without consent.
Consider anonymously reporting unethical behavior to help protect others.
While most companies are ethical, it pays to be vigilant. You should feel empowered to question anything that doesn’t seem legitimate. Your skills speak for themselves - you don’t need to comply with shady tests. Prioritize your safety and code of ethics.
This experience with a malware “technical screening” left me rattled but also better prepared to identify red flags going forward. However, it worries me that more naive developers may fall victim to traps like this.
We all just want to build cool things with technology in an ethical way. Having to guard against potential employers is an unfortunate burden. My hope in sharing this story is that it will help shine a light on some deceptive practices that take place under the guise of job screening.
Devs, watch each other's backs out there. We have so much to contribute when given the chance. Don't let schemes like this undermine your potential. Prioritize openness, ethics, and safety in your job search. The right opportunities are out there.