Essay - Published: 2026.01.16 | create | security | software-engineering |
DISCLOSURE: If you buy through affiliate links, I may earn a small commission. (disclosures)
I came across a Reddit post where a developer received a "take home challenge" from a recruiter that contained a malicious VSCode autorun task. Had they opened the project, it would've silently downloaded obfuscated JavaScript and run it on their machine—likely stealing sensitive data.
This is one reason I avoided most recruiter outreach during my 2025 job search. It's hard to verify who you're talking to, and the consequences of getting it wrong are serious.
Job recruitment scams are becoming more prevalent. FTC reports show job scam losses escalated from $90 million to $501 million between 2020 and 2024. About 60% of job seekers encountered at least one fake recruiter and 1 in 4 fell for hiring scams in 2025.
The tech industry is a prime target with lots of remote workers, high number of job seekers, and higher potential of storing sensitive data digitally - like holding a crypto wallet, keys, or ids on your computer.
The VSCode autorun attack works via a .vscode/tasks.json file which can execute code the moment you open a folder. But there are other versions of this kind of attack in the wild.
David Dodda received a LinkedIn message from someone claiming to be "Chief Blockchain Officer" at a company called Symfa. They asked him to complete a standard React/Node coding test.
Hidden in userController.js was an obfuscated function that would fetch a remote payload when executed. It was designed to steal environment variables, database credentials, and crypto wallet data.
He caught it because he asked his AI coding assistant to scan for suspicious patterns before running npm start.
Scams don't always involve downloading malware.
In the Splunk case, a candidate received what looked like a legitimate interview invitation from Splunk. She was fast-tracked through the process, received an offer, and was asked for her driver's license, direct deposit form, and background check authorization.
The red flag she missed: the email came from splunkcareers.us, not Splunk's actual .com domain.
A few factors:
Hard job markets breed desperation. 2025 has been rough for software engineers. When you're stressed about finding work, you're more likely to click that link or run some code without thinking twice.
AI makes scams cheaper. Realistic LinkedIn profiles, professional documentation, legitimate-looking company branding are all much easier to fake now. Deepfakes for video interviews are also becoming more common so seeing is no longer believing.
Developers are uniquely vulnerable. We download and run code all the time - GitHub repos, npm packages, coding challenges. So it's not that weird to be asked to download and run a repo.
Prefer applying directly. Anyone can pose as a recruiter. When possible, go through company career pages instead of responding to outreach. If a recruiter contacts you, verify them: check that the email domain matches the company, look up their LinkedIn history, or call the company's HR directly. This is what I did for 2025 job search.
Don't blindly run code. Most legitimate interviews use online platforms like CoderPad, not local execution. If you do need to run something locally:
.vscode/tasks.json before trusting the workspacepackage.json scripts sectionNever share sensitive info prematurely. SSN, bank accounts, and driver's licenses should only go through official portals after you're actually hired. Legitimate companies don't collect this over email and Zoom is also rare. When in doubt, slow down and try to verify.
Job searches are stressful enough - avoid allowing that to push you into a scam. If something feels off, it probably is. Apply directly, verify everything, and double check before running untrusted code.
If you liked this post, you might also like:
The best way to support my work is to like / comment / share for the algorithm and subscribe for future updates.