The Contagious Interview: A Sophisticated Hacking Vector Reshaping Web3 Recruitment Risks

In the fast-paced world of Web3 — where blockchain developers, smart contract auditors, and crypto engineers are in high demand — recruitment has become a prime target for sophisticated cybercriminals. One of the most insidious threats is the so-called “Contagious Interview“ campaign: a multi-stage social engineering and malware delivery operation that weaponizes the job interview process itself.

Attributed largely to North Korean state-linked actors (such as the Lazarus Group / APT38), this tactic has evolved into a contagious threat that spreads through trusted developer workflows. Scammers impersonate recruiters, build rapport through professional video calls, and then hand over what appears to be a harmless “coding test” or project repository.

Running the code — often via a simple npm install — unleashes hidden malware designed to steal crypto wallets, seed phrases, browser credentials, and even corporate access. The “contagious” label comes from how the attack propagates: compromised machines or repos can lead to further infections, supply-chain risks, or lateral movement within teams.

How the Contagious Interview Works

The playbook is refined and mimics legitimate hiring:

• Initial Outreach: Fake recruiters with polished (often AI-assisted) LinkedIn profiles contact developers, especially those with Web3, blockchain, frontend, or QA experience. They reference real company news and offer high-paying remote roles.
• Trust Building: Victims receive professional PDFs, Figma prototypes, or project briefs. A video interview (Google Meet or similar) follows, with an “HR manager” asking standard questions before abruptly assigning a take-home task and ending the call.
• Malware Delivery: The candidate is directed to clone a GitHub repo, download a OneDrive link, or install a “virtual meeting tool.” Common triggers include:

A) Malicious package.json scripts (e.g., “postinstall”: “npm run dev”) that auto-execute on npm install.

B) Dependency bloat with unrelated libraries (e.g., crypto libs like ethers/wagmi in a simple React app).

C) Disguised WebAssembly (WASM) modules hidden in utility files.

D) Fake apps like “GrassCall” that install info-stealers

Once executed, the payload can exfiltrate MetaMask extensions, wallet.dat files, passwords, and more — often draining entire crypto holdings.

MetaLamp’s Close Call

The Meta Lamp team — a leading Web3 development company specializing in blockchain solutions for Cardano, Ethereum, and beyond — has directly experienced this vector. Like many in the space, they received outreach from what appeared to be legitimate recruiters with detailed project briefs and technical tests.

Fortunately, through rigorous internal vetting processes and a healthy skepticism toward unsolicited code repositories, the team identified the red flags early and avoided any compromise. Their experience underscores that even experienced Web3 organizations are not immune, but proactive awareness can prevent disaster.

Next, one of the team members shares the story:

They invited us to a call and proposed reviewing the “Decentralized E-commerce Platform” project. On the day of the scheduled call, they postponed the meeting “for a bit later,” but (!) at the same time they asked us to look at the code beforehand so we could come “prepared.”

Classic move. It immediately raised red flags that the project was hosted on Bitbucket — the commit history wasn’t visible at all. They were supposedly hiring for a Technical Director, yet inside the repo there were only two garbage smart contracts bundled with Truffle, and the entire thing was slapped together on React.

We opened the package.json:

"rollup-plugin-polyfill-node": "^0.13.0",
"rollup-plugin-polyfill-route": "^1.0.2", //

rollup-plugin-polyfill-route- 126 lines of code, uploaded to npm 17 days ago, with 90 weekly downloads. It was uploaded just once and is already at version 1.0.2, which is strange. Next, the formation of the query string and…

try {
);
} catch (err) {
if (atlf > 0) {
mreq(atlf - 1);
}

… we find what we were looking for: );. This code parses the data received from the request via rest-icon-handler.store and executes it immediately. I don’t really feel like checking what it returns, but it could:

• Steal private keys from ~/.ssh/ and .env files;
• Steal wallet seed phrases;
• Steal browser cookies/tokens;
• Steal any files from the disk;
• Plant a backdoor;
• Spoof addresses in the clipboard.

And this gem is used in the project as if it were some kind of polyfill for the Vite bundler.

Let’s look at its config (vite.config.js) and see:

import { getPlugin } from 'rollup-plugin-polyfill-route';
export default defineConfig(({ command, mode }) => {
...
return {
plugins: [
react({
...
}),
getPlugin()
],

Just by looking at the package.json file, Claude Code immediately says that this particular package is dangerous and definitely contains malware!

Real-World Examples in Web3

• Fireblocks Impersonation (2026): Scammers posed as Fireblocks recruiters, complete with a fake “Fireblocks Poker Platform” project involving crypto mechanics. After a polished Google Meet interview, victims were told to review a GitHub repo. The campaign used “EtherHiding” (blockchain smart contracts for command-and-control) to make infrastructure resilient. Fireblocks detected and disrupted it by takedown of fake profiles and repos.
• ChainSeeker.io Wallet-Draining Campaign: The group “Crazy Evil” created a fake Web3 company advertising roles like Blockchain Analyst on LinkedIn, WellFound, and CryptoJobsList. Applicants were routed to a Telegram “CMO” who instructed them to download GrassCall for interviews. The malware stole browser-stored wallets and credentials, resulting in total losses for many victims. A victim support Telegram group emerged to share removal advice.
• Frontend Dev Take-Home Tests: Developers have reported React/Vite boilerplates laced with server-side libs, Base64-encoded WASM backdoors, and even oversized 3D assets (e.g., chess-themed .glb files) with no purpose other than bloat to hide payloads. One Reddit analysis highlighted how postinstall hooks triggered malicious servers mimicking legitimate Webpack code.

Protection Measures: Defending Your Team and Career

Both job seekers and hiring teams can harden defenses:

For Developers and Candidates:

• Verify Everything: Cross-check recruiters against the company’s official careers page and use corporate email domains only. Legitimate interviews rarely involve cloning random repos or installing third-party tools.
• Sandbox Everything: Run any coding test in a virtual machine (VM) or container with no access to your main wallet, browser extensions, or credentials. Tools like VS Code Workspace Trust or Microsoft Defender can flag suspicious repos.
• Inspect Before Installing: Always review package.json for odd scripts, bloated dependencies, or unknown postinstall hooks. Prefer platforms like HackerRank, CoderPad, or GitHub Codespaces over direct downloads.
• Red Flags: Abrupt interview endings followed by code tasks, personal email addresses, over-the-top promises, or requests to install “interview software.”

For Web3 Companies and Hiring Teams:

• Publish all openings on official channels and train recruiters on verification.
• Use locked dependency management, code signing, and endpoint protection.
• Educate candidates: Provide clear guidelines on secure test environments.
• Report suspicious profiles to LinkedIn/GitHub immediately.

General Best Practices:

• Separate personal/crypto environments from work machines.
• Enable multi-factor authentication everywhere and monitor wallet activity.
• Stay updated via security blogs (Fireblocks, Microsoft, Trend Micro) that track evolving variants.

MetaLamp’s narrow escape serves as a timely reminder: awareness isn’t paranoia — it’s survival in Web3. Stay skeptical, verify rigorously, and keep building securely. The future of decentralized tech depends on it.

If you’re in Web3 hiring or job hunting, share your own red-flag stories in the replies. Together, we can make this vector far less contagious!

The Contagious Interview: A Sophisticated Hacking Vector Reshaping Web3 Recruitment Risks was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.