A simple AI prompt saved a developer from this job interview scam

INFOSEC IN BRIEF Engineer David Dodda says he was just "30 seconds away" from running malware on his own computer after nearly falling victim to a North Korea-type job interview scam with a "legitimate" blockchain company. 

The fraudsters probably would've duped him and tried to steal everything on his machine, from cryptocurrency wallets to files and passwords, if he hadn't entered one simple AI prompt into his coding assistant:

"Before I run this application, can you see if there are any suspicious code in this codebase? Like reading files it shouldn't be reading, accessing crypto wallets etc."

On his blog this week, Dodda detailed how he almost got hacked by a job interview, and it's the type of scam we've been hearing more about as government-backed cyber operatives, especially those in North Korea, prey on job seekers' enthusiasm to swipe their crypto, credentials, and compromise their machines.

It essentially flips the script on the IT worker scam, in which real developers use fake or stolen identities to obtain jobs with Western companies, then funnel their salary money - and sometimes corporate IP and other sensitive data - back to Pyongyang.

In the scheme that Dodda nearly fell for, the faker posed as the chief blockchain officer at Symfa, a legitimate company with a real LinkedIn profile, and said he was looking to hire developers for a part-time gig. 

This fake Symfa exec, Mykola Yanchii, reached out to Dodda over LinkedIn (the profile has since been removed). "Mykola Yanchii looked 100% real. Chief Blockchain Officer. Proper work history. Even had those cringy LinkedIn posts about 'innovation' and 'blockchain consulting,'" Dodda wrote. So he said yes to the interview, scheduled via Calendly - but first, Yanchii wanted him to complete a test project to evaluate his coding skills.

Even had those cringy LinkedIn posts about 'innovation' and 'blockchain consulting'

It's the classic Contagious Interview approach, in which criminals pose as recruiters, posting fake profiles on social media while specifically targeting software developers, especially those working in cryptocurrency and tech. After the victim says yes to the phony job interview, they are tricked into downloading malware disguised as a coding test - and the malware ultimately steals sensitive information and cryptocurrency, while gaining long-term access to corporate networks.

As Dodda wrote, developers are the "ideal victims" because their machines "contain the keys to the kingdom: production credentials, crypto wallets, client data."

Dodda said the test - a React/Node codebase - looked normal: "The Bitbucket repo looked professional. Clean README. Proper documentation. Even had that corporate stock photo of a woman with a tablet standing in front of a house."

• Senator presses Cisco over firewall flaws that burned US agency
• Nork scammers work the blockchain to steal crypto from job hunters
• AI makes phishing 4.5x more effective, Microsoft says
• Have I Been Pwned logs 17.6M victims in Prosper breach

But because he was running late for the interview with only 30 minutes to review the code, instead of sandboxing it, Dodda "did what lazy developers do - I started poking around the codebase without running it first."

After cleaning up the code and fixing some bugs, Dodda was about to hit "npm start" and run the code. But then, in a moment of paranoia, he asked his Cursor AI agent to check for suspicious code, and that saved him.

"One simple AI prompt saved me from disaster," he said. "Not fancy security tools. Not expensive antivirus software. Just asking my coding assistant to look for suspicious patterns before executing unknown code."

This week, Google said that a threat-group it tracks as UNC5342, suspected to be behind the Contagious Interview campaign, has been using a technique called EtherHiding - hiding malware inside blockchain smart contracts to sneak past detection and ultimately steal developers' info - since February.

Cisco 0-day abused to deploy rootkits

We know someone exploited a Cisco IOS and IOS XE zero-day prior to its disclosure late last month - but we didn't know who or for what nefarious purpose. Until now.

In late September, Cisco patched CVE-2025-20352, a stack-overflow flaw in the SNMP subsystem of IOS and IOS XE that can be exploited with crafted SNMP packets over IPv4 or IPv6, but only by an authenticated attacker with valid SNMP credentials. At the time, the networking giant said it was aware of in-the-wild exploitation, but didn't name the culprits or disclose the scope of the attacks.

This week, Trend Micro researchers revealed that attackers exploited the Cisco SNMP zero-day to deploy Linux rootkits and achieve remote code execution and persistent access.

After implanting the rootkit, the malware sets a universal password containing the word "disco," and installs hooks onto the IOSd, which results in fileless components disappearing after a reboot. 

These attacks primarily targeted older, unprotected systems: Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. 

Crims using fake Teams installers to deliver ransomware

Microsoft this week said it revoked more than 200 security certificates that a criminal group it tracks as Vanilla Tempest used in fake Teams setup files to ultimately deliver Rhysida ransomware. 

Redmond first spotted the campaign in late September before revoking the certs in early October. 

"Running the fake Microsoft Teams setups delivered a loader, which in turn delivered a fraudulently signed Oyster backdoor," Microsoft Threat Intelligence said on social media. 

"Vanilla Tempest has incorporated Oyster into their attacks as early as June 2025, but they started fraudulently signing these backdoors in early September 2025."

Vanilla Tempest, aka Vice Spider and Vice Society, is a financially motivated gang that uses ransomware and extortion attacks. While they've used various data-locking malware variants in the past - including BlackCat, Quantum Locker, and Zeppelin - most recently, Rhysida has been the crew's ransomware of choice.

SIM stopped

European cops earlier this month took down an illegal SIM-box service that Europol said cost victims at least 4.5 million euros in losses. 

The illicit service offered phone numbers registered to people in more than 80 countries, and rented them to other criminals who used the numbers to set up fake social media and messaging app accounts, and used these in other scams while hiding the perpetrators' real identity and location.

These crimes, according to Europol, included phishing, fraud, extortion, migrant smuggling and the distribution of child sexual abuse material.

In total, the operation codenamed SIMCARTEL led to the arrest of five Latvian nationals along with two additional suspects. Law enforcement also took down five servers and seized 1,200 SIM box devices alongside 40,000 active SIM cards. 

Investigators from Austria, Estonia, and Latvia, together with their colleagues at Europol and Eurojust, were able to attribute to the criminal network more than 1,700 individual cyber fraud cases in Austria and 1,500 in Latvia. ®