I got completely owned by the most sophisticated hack I've ever encountered. I'm a developer. I know what scams look like. This didn't look like one.

It started with a recruiter reaching out about a frontend role. Nothing unusual. I get these daily. I usually ignore them — or play along to find where the exploit is hidden. But this one had a real website. A real team page. Real headshots with names.

First call was with their HR. Normal conversation. Talked about the role, the company vision, compensation. Nothing felt off. No AI voice glitches. No weird lag. Real human energy. I agreed to move forward.

Second round was a technical interview with two engineers. We talked tech stack, architecture decisions, interesting challenges. Good conversation. The kind where you actually enjoy it. One of them was listed on the company website. Photo matched. Name matched.

At the end of the call they said: "We'd like to move you to the next stage. It's a small coding challenge." They gave me a GitHub repo and 5-10 minutes to look it over. Backend code. Only a few files. Nothing suspicious. Simple enough.

During the interview we talked about how many fake job scams target developers lately. We laughed about it. They seemed just as aware as I was. Before running I said I'd check for anything suspicious. They smiled. "Feel free to look for backdoors."

That one line was deliberate. It lowered my guard exactly when I needed it most. I ran the code. The only thing that saved me was a macOS popup: "http://patch.sh wants to run as a background process." I killed my WiFi immediately and started investigating.

Most people would have clicked Allow without thinking twice. After two rounds of interviews, on a screenshare with people you've built trust with over days? You trust them. That's exactly what they counted on.

The attack was hidden inside a dependency of a dependency. The repo itself was clean. winston-middleware — a logging package. Boring. Normal-sounding. It had one hidden dependency: next-runtimejs. That's where the weapon was.

The moment I ran the project, a shell script executed silently in the background. No prompts. No warnings. No indication anything was wrong. It downloaded a backdoor written in Go and registered it to auto-start on every boot.

This was not some script kiddie tool. Professionally written Go program. Custom RC4-encrypted protocol. Commands for shell execution, file theft, Chrome password extraction, Keychain exfiltration, and crypto wallet targeting. Someone built this seriously.

I unplugged my internet within a minute. But in that minute they collected: — 634 saved Chrome passwords — My macOS Keychain (which holds the key to decrypt those passwords) — My MetaMask wallet data No login prompt. No clicks. They had everything.

The Chrome passwords are AES encrypted. But the decryption key lives in the macOS Keychain. They stole both. Every saved password — banking, email, GitHub — was readable on their end.

I did full forensics afterward. The backdoor leaves zero local logs. Everything streams to their server. But file access timestamps don't lie. Backdoor started: 16:16:37. Chrome passwords accessed: 16:17:33. 56 seconds.

This wasn't a random attack. This was an operation. Fake website. Fake LinkedIn profiles. Real-looking engineers. A multi-stage interview process designed to build trust over days. All to get one developer to run their code.

The scariest part? I'm the person who looks for this stuff. I've caught scams before. I examine repos before running them. They joked with me about backdoors on the call. Then got me with one. If it happened to me, it can happen to anyone on your team.

The malicious packages: winston-middleware@4.5.3 next-runtimejs@1.0.3 Fake company GitHub: http://github.com/genusix-labs Both reported to npm and GitHub. If these are anywhere in your projects, remove them now.

How to protect yourself: — npm install --ignore-scripts on any unknown repo — Run interview code in a VM or spare machine, never your main computer — Disconnect from internet before running anything unfamiliar — Use an outbound firewall like Little Snitch or GlassWire

More: — Never save passwords in your browser. Use a password manager. — Keep crypto wallets on hardware, not browser extensions. — A polished interview does not mean the code is safe. — Trust the process, but always read the dependencies.

The interview felt real because it was designed to feel real. Weeks of work. Fake people. A real website. All to get one developer to run their code. This is the new phishing. It's targeting developers specifically because of what we have access to. Stay safe out there.