According to SlowMist, MistEye detected a malicious activity on July 18 targeting developers through fake Web3 job postings. Attackers impersonated recruiters on LinkedIn, built trust by discussing job experience, and sent a deceptive GitHub repository disguised as an "interview MVP." When developers ran the project, a hidden Node.js loader triggered and deployed multiple payloads.
The malicious code was designed to steal browser credentials and wallet data, collect sensitive files, execute remote commands with interactive shell access, and monitor clipboard activity. SlowMist advised developers to thoroughly inspect project scripts, dependencies, and build configurations before running unknown code repositories.