PSA: Be aware when opening “take home challenges” from untrusted recruiters

I was recently contacted by linkedIn "recruiter" who's upto no good it seems. After some brief chatting, they asked me to complete a take-home assignment to go ahead with the recruitment process. This is the link to said take home challenge: https://bitbucket.org/brain0xlab/challenge/src/master/

It all seemed a bit suspcious and I wanted to check the repo out before cloning it and opening it myself.

This repository contains a vscode auto run task: https://bitbucket.org/brain0xlab/challenge/src/master/.vscode/tasks.json <- This is a HUGE red flag.

This task, through several layers of indirection, effectively downloads a stringified obfuscated JS script disguised as a json file from this link: https://api.npoint.io/3b0e9f7bfcd85cc9e77d

The JSON is downloaded via a "env.js" file downloaded from here (WARNING: malware script host): https://vscode-settings-bootstrap[dot]vercel[dot]app/settings/env?flag=306 (replace the dots with actual dots)

You'll likely need to use curl -L or something to actually download it. This vscode-settings-bootstrap is likely hosted by the malware creators as this is the website hosting the actual malware stuff primarily. npoint is sort of just a general service.

Notice how the env.js file downloads the malware script containing json from npoint, extracts the obfuscated js from the cookie field and runs it.

I have not managed to gather more information about the malware script itself. I know it reads a bunch of system information, reads credentials from filesystem (e.g ssh private keys) and tries to upload them to some domain. I sorta gave up figuring out what domain it is since the script does A LOT of useless work to waste cpu cycles and my virtualbox was simply taking too long to get to the meaty part.

I have reported the linked in profile and bitbucket repo.

TL;DR: Don't open take home challenges and grant it permissions, especially if it contains auto run scripts…