So someone contacts you on LinkedIn with a promising job opportunity. Sounds nice, innit? They seem legit (after checking them for 1 min) and after some short convo they send you a GitHub repo with a simple Next.js "recruiting task". You clone it, run it… and 10 mins later, your device is fully compromised as you find out that your hot wallets were drained. Ok, what happened? Given the fact that we (= SEAL 911) have seen this attack over and over again, let me disclose some of the most important details: - first, the most important caveat: do NOT run random code some random dude sent you. Honestly, fucking don't. - check always the _executable_ config files of the repos thoroughly. In this particular case, the `next.config.js` file had a large padding hiding the malicious payload far to the right. - always scroll horizontally - just because you don't see anything malicious when you look at the content doesn't mean it's clean. Important: Malicious code can be hidden within files you trust, just not where you expect it. I really hope this tweet reaches enough people to prevent at least a few future victims from falling for this kind of attack.