634 Passwords in 56 Seconds

A developer — security-aware, experienced, someone who actively looks for scams — went through a multi-stage interview process with a fake company. HR call. Technical interview with two engineers. Real website with team photos. Real LinkedIn profiles. Weeks of relationship building.

Then they were asked to run a small coding challenge during a screenshare.

56 seconds later, the attackers had 634 saved Chrome passwords, the macOS Keychain file (which contains the key to decrypt them), and MetaMask wallet data.

How the attack worked

The GitHub repo looked clean. A few backend files, nothing suspicious. But one dependency — winston-middleware, a normal-sounding logging package — had its own dependency: next-runtimejs.

That's where the weapon was.

The moment npm install ran, a shell script executed silently. No prompts, no warnings. It downloaded a Go-based backdoor and registered it to auto-start on every boot.

This wasn't a script kiddie tool. Custom RC4-encrypted C2 protocol. Commands for shell execution, file theft, Chrome password extraction, Keychain exfiltration, and crypto wallet targeting. Professionally built.

The backdoor started at 16:16:37. Chrome passwords were accessed at 16:17:33. The developer noticed a macOS popup about an outgoing connection and killed WiFi within a minute — but the damage was already done.

Why the interview mattered

This attack would fail as a cold email. "Run this repo" from a stranger gets ignored.

But after two rounds of interviews? After laughing together about how many fake job scams target developers? After one of the interviewers said "Feel free to look for backdoors" with a smile?

That's when your guard drops. Trust is the exploit. The malware is just the payload.

The developer said it best: "If it happened to me, it can happen to anyone on your team."

What Chrome passwords actually mean

Chrome encrypts saved passwords with AES. The decryption key is stored in the macOS Keychain. The attackers stole both files in under a minute.

Every saved password — banking, email, GitHub, cloud consoles — was readable on their end. The Keychain file can be cracked offline with no rate limits. The developer had to rotate everything.

This is the dirty secret of browser-saved passwords: they're encrypted with a key that lives on the same machine. Compromise the machine, and the "encryption" is decoration.

The DPRK pattern

The developer mentioned that their previous company was also hacked by North Korea three months earlier. This is the "Contagious Interview" campaign — DPRK state-sponsored attackers running fake job interviews to plant malware on developer machines.

It's not random. They target developers specifically because of what developers have access to: production credentials, signing keys, cloud infrastructure, and — increasingly — AI agent tokens that can access even more.

The scale is industrial. Fake companies with generated faces. Polished websites. Multi-week interview processes. They invest because the ROI is there.

"Password managers don't help"

The developer made an interesting claim in the thread: "Password managers don't help if they have access to your computer using a backdoor like this, because they can transmit any file later, craft a special exploit just for you, keyloggers, screenshots."

This is partially right and partially wrong.

A password manager that stores its vault on your local disk, unlocked by a master password you type — yes, a backdoor with keylogging and file access can compromise that.

But a password manager with hardware-bound keys — where the decryption key is derived from a physical authenticator and never exists as a file on disk — is fundamentally different. The backdoor can steal files, log keystrokes, take screenshots. But it cannot extract a key that only exists inside a hardware security module during a physical tap.

The 634 Chrome passwords were stolen because both the encrypted data and the decryption key were files on the filesystem. If the decryption key requires physical possession of a device, stealing files gets you encrypted blobs and nothing else.

What to do

• Never run interview code on your primary machine. Use a VM or a separate device.
• Run npm install --ignore-scripts on any unfamiliar repo before executing
• Use an outbound firewall (Little Snitch, LuLu) that alerts on new connections
• Stop saving passwords in Chrome. Full stop.
• Keep crypto on hardware wallets, not browser extensions
• Treat every coding challenge from a recruiter as potentially hostile, no matter how many calls you've had

The developer survived because a macOS popup caught the outgoing connection in time. Most people would have clicked Allow without a second thought.

56 seconds. That's all it takes.