Protection
Red flags, safety steps, and tools to protect yourself from malicious repos.
Red Flags in Crypto Job Offers
They use Google Docs for requirements
Legitimate companies use their own platforms. Google Docs links for assessments are a major red flag.
They ask you to run their project locally
The core of the scam: they need you to run npm install on a malicious repo.
Video interview where face doesn't match voice
Deepfake video in interviews. Watch for unnatural lip sync, odd lighting, robotic speech.
Ask them to blink — deepfakes struggle
Real-time deepfake video has trouble with sudden movements like blinking on command.
Before Running Any Project
Check package.json scripts
Look for preinstall/postinstall that run shell commands or obfuscated code.
"preinstall": "node ./scripts/setup.js"npm install --ignore-scripts
Install deps without executing lifecycle scripts. Inspect code first.
npm install --ignore-scriptsLook for eval() in config files
Check vite.config, next.config, webpack.config for eval(), Function(), or suspicious imports.
eval(Buffer.from('...').toString())Check repo age and stars
Malicious repos are new, have no stars, no forks, minimal history.
Use ScanRepo first!
Paste the URL into ScanRepo before cloning. Detects known malware patterns.
What the Malware Does
Browser cookies & passwords
Targets Chrome, Firefox, Brave, Edge. Extracts saved passwords, cookies, autofill.
Crypto wallet keys
Searches MetaMask, Phantom. Extracts private keys and seed phrases.
SSH keys & AWS credentials
Reads ~/.ssh/ and AWS credential files. Compromises servers and cloud.
Silent data exfiltration
All stolen data sent to C2 servers. Accounts compromised before you notice.