A Serbian web developer fell victim to an elaborate employment scam where attackers posed as a blockchain firm, conducted convincing video interviews, and tricked him into running malware during a live-coding test. The script silently harvested 634 Chrome passwords, macOS keychain data, and MetaMask wallet information before detection, highlighting evolving tactics in developer-targeted cybercrime.
Boris Vujičić, a web developer based in Serbia, thought he was doing his due diligence when he agreed to run a live-coding test during what appeared to be a legitimate job interview with a company called Genusix Labs. Instead, he executed a sophisticated malware payload that stole his saved passwords, cryptocurrency wallet data, and macOS keychain information in under a minute—a stark reminder that even security-aware professionals can be outmaneuvered by meticulously crafted social engineering attacks targeting the developer community.
The scam began with a standard LinkedIn outreach from a recruiter claiming to represent Genusix Labs, a blockchain firm. Vujičić, who reports receiving multiple scam messages daily, initially treated it with skepticism but was gradually won over by the operation’s depth: the company maintained a LinkedIn page, a professional website featuring headshots of a "Leadership Team" that matched interviewers, and conducted two video calls—one with HR and a technical interview with engineers—that felt authentic. Notably, the engineers joked about prevalent job scams targeting developers, a tactic Vujičić later recognized as deliberate rapport-building to lower his guard.
When asked to proceed with a live-coding assessment, Vujičić expressed hesitation about running unfamiliar code but was reassured by the interviewers: "Examine the code, make sure it’s not suspicious. You can run it in any cloud environment." He recalled their specific phrasing: "They reassured me—and they did a good job—to get me to let my guard down, and just run the freaking code." After a brief review, he executed the provided script on his macOS machine.
Immediately, a system popup appeared: "patch[.]sh wants to run as a background process." Suspicious, Vujičić ended the call, disabled his network connection, and began investigating. He discovered the malicious script—camdriver[.]sh—hidden in a temporary camera-driver folder. Despite its obfuscation, he noted the code’s unusual quality: "The script is very sophisticated and beautiful—I like the code. Whoever wrote the code is a very smart guy."
Technical analysis revealed a multi-stage payload designed for stealth and persistence. The script first checked the host’s CPU architecture to download a compatible binary. It then established a mechanism to relaunch itself at every system boot. The core payload, written in Go, communicated via a custom RC4-encrypted protocol and included capabilities for:
- Arbitrary shell command execution
- File system traversal and exfiltration
- Extraction of saved passwords from Chrome
- Harvesting of macOS Keychain items
- Targeting of cryptocurrency wallet data (specifically MetaMask)
In the 56 seconds before Vujičić severed his network connection and terminated the processes, the attackers successfully collected 634 saved Chrome passwords (covering banking, email, and GitHub accounts), his entire macOS keychain, and his MetaMask wallet data. He has since rotated all credentials and confirmed no cryptocurrency was stolen, attributing this to his rapid response.
Vujičić reported the infrastructure to relevant parties: the fake GitHub repository to npm and GitHub, the Genusix LinkedIn profiles to the platform, the domain to HostGator, and the IP address to AbuseRadar. He also shared forensic logs with zeroShadow, the incident response firm that investigated the Step Finance breach—which Vujičić previously worked for before its $40 million crypto heist. zeroShadow’s analysis linked this attack to North Korean state-linked actors, noting identical code reuse and tactics from the earlier Step Finance compromise.
This incident underscores a dangerous evolution in developer-focused threats. Attackers are moving beyond phishing links or malicious npm packages to exploit the trust inherent in hiring processes. By investing in believable corporate facades and leveraging the social dynamics of interviews—even using humor about scams to create false security—they reduce the cognitive load required for victims to override their suspicions.
Vujičić warns that future iterations may eliminate the need for malicious code execution entirely: "What if they do a regular interview, they don’t push any kind of scam link that I need to click, we talk about money, they send me a contract, they say ‘come work with us’? [...] They can give me fake onboarding documents, give me fake tasks to work on, and push a virus in a day or two." Such a scenario would allow long-term access to developer environments, enabling theft of production credentials, compromise of CI/CD pipelines, and insertion of backdoors into shipped software.
For developers, the key takeaway is heightened vigilance during unsolicited job outreach—even when interactions appear legitimate. Verifying company details through independent channels (not links provided by the recruiter), refusing to execute code from unverified sources in personal environments, and using isolated, disposable systems for technical assessments remain critical defenses. As Vujičić reflected: "I was like, Why? Why was I so stupid? Why did I do this?" The answer lies not in individual lapse, but in the attackers’ growing ability to mimic legitimacy so precisely that skepticism itself becomes the exploited vulnerability.
Comments
Please log in or register to join the discussion