A recruiter hit me up on LinkedIn last week. Senior Solidity Engineer role, $15-20K USD/month, remote. The company looked real. The job description was legitimate. The hiring process was normal and the salary was in the correct ballpark. They sent me a GitHub repo for a take-home assessment. Before running anything, I ran it through Claude Code for a security audit and then verified manually (obviously!. I'm glad I did. ## The Setup The repo was a legitimate Scaffold-ETH 2 project, a DeFi over-collateralised lending protocol with real working Solidity contracts. Someone named MrRogueKnight built it, 25+ commits over a single day. Clean code, MIT licensed, nothing wrong with it. Then, two days later, a second author called `sementsov` showed up in the commit history. Four commits which were pretty low effort (the mark of a true developer): - Update Packages. - Update Output. - No message - Update Config That last one changed the dependency in the next js app. ## The Malware `sementsov` added a package called `path-extend` to the Next.js dependencies. The README on npm says it's "an exact copy of the NodeJS path module." It's not! Buried inside `index.js`, between legitimate path functions, are two self-executing functions. They decode a base64 string to get a URL, fetch JSON from that URL, and run `eval()` on the content field twice. The server URLs point to jsonkeeper.com, a pastebin-style site. Both payloads are still live as of today. What does the payload do? System fingerprinting. Hostname, username, home directory, OS. A callback to a command server assembled from obfuscated IP fragments. A second-stage file dropped to your home directory and executed. Data exfiltrated via POST. Retry loop. Cleanup. It's targeting crypto developers specifically. Private keys, mnemonics, `.env` files with RPC endpoints and API keys. If you cloned this repo and ran a simple `yarn install` (totally muscle memory for many developers), your machine was compromised before you wrote a single line of code. ## The Cover Story The `next.config.js` file imports `path-extend` and uses it to set `output.path` and `output.filename`. Those are webpack options. Next.js ignores them completely. The entire block exists to make the import look like it belongs there. The npm package itself was previously called `path-external`. npm seized it. The attacker renamed it to `path-extend` within 48 hours and kept going. ## The Social Engineering The job interview format is the attack vector. You're trying to impress someone. You're focused on the code quality, the architecture, whether your solution is elegant. You're not thinking about `package.json`. Of course, you could be desperate for a job too. This is totally not me by the way. Unrelated, I'm available for work! The urgency helps too. "We'd like this within 48 hours." Clone, install, start coding. The fake 40 Acres operation used a real company's brand (an El Salvador-registered Bitcoin business with legitimate licensing), a separate GitHub org to host the malicious repo, and a recruiter persona with a plausible LinkedIn presence. The job description was technically accurate. The assessment task was reasonable. Everything was designed to feel legitimate until the moment `yarn install` ran. ## What to Do Before running any take-home assessment repo: Check the commit history. Multiple authors on a simple project is a red flag. A second author appearing days after initial creation is a bigger one. Audit `package.json`. Any unfamiliar package with a wildcard version (`"*"`) warrants a look at its npm page. Check when it was published, who maintains it, and what it actually depends on. Don't run `npm install` or `yarn install` until you've done the above. The malware executes at install time, not run time. Verify the company is who they say they are. Check the official GitHub org against what the recruiter sent. Check whether the job description matches what the company actually builds. The real 40 Acres builds Bitcoin Lightning infrastructure. The fake job description was for Ethereum DeFi work. That mismatch alone should have been a flag. In general, any mismatch is a red flag when working in crypto. Telegram, Discord, GitHub , Twitter, Websites, domains, emails, EVERYTHING should line up. ## The Payloads Are Still Live As of today both jsonkeeper URLs still return functional malware. The npm package may still be up. If you've cloned any repo recently that includes `path-extend` or `path-external` as a dependency, check your git log for the `sementsov` author and assume your machine is compromised. Stay safe out there! We programmers are very tasty targets.