PSA: Be careful when a random crypto company sends your their Git repo
9 points by cranberryturkey 10 hours ago | 7 comments
This has happened around 4-5 times in the last 6 months to me, a random stranger will claim to be with an unknown crypto company and they just want me to review their code as part of the interview process.
If you DO do this, only run the code in a VM like virtualbox and Ubuntu w/o any personal information on the VM instance.
5 times now the code has contained malicious software (discovered by running open snitch on KDE).
One of them emptied your metamask wallet. I almost clicked "ok" but then thankfully metamask wanted me to confirm -- had I clicked it a second time my wallet would have been drained.
Another time it ran a browser credential stealing script that stole both chrome and firefox cookies and saved passwords (I recommend you use a 3rd party password manager like Bitwarden instead of the browser).
Had another one on codementor today reach out to me. It was too good to be true: $185/hour and all I had to do was give feedback on their app.
You can usually tell because the code is brand new (within a matter or days) and there are no commits on the repo. This is a dead give-away.
navjack27 6 hours ago | next |
I am absolutely stunned that you just were absolutely okay with a random stranger sending you a message like this and then you do it.
Yes it's really good that you are doing a PSA but there needs to be another PSA on top of this.
The PSA shouldn't be to be careful. The PSA should be literally not to trust people you don't first initiate contact with to do something as "personal" as compile their code without reading it first.
Does a sight unseen code review usually start with compiling?
Should you trust a random crypto person?
If four to five times in the last 6 months this happened to you then I'm also wondering what other things you have participated in were also scams.
You just seem really trusting.