Tell HN: Be cautious with take-home challenges
Hi hn,
As devs, we got used to take-home challenges while applying for jobs/projects, some challenges ask you to write code from scratch, others expect you to update an existing project.
Today I had a case where I received a repository where I was asked to do a minor change before discussing the long-term opportunity.
Well, turns out that the build script links a weird pre-start script, paying attention to this I found out that the script was malicious.
One of the things that made me suspicious was the lack of details from the hiring company + getting the take-home challenge without much effort.
All of this got me thinking, there is nothing preventing attackers to create a fake company website/jobs/emails and leverage the take-home challenge approach to infect people.
Have you saw any similar approach? I definitely remember reading about similar cases on HN some time ago: random HR tries to poach a dev from a company, but during the interview they manage to hack the current employer of the dev. Maybe I can even find it... (though don't hold your breath) Edit: If you were holding your breath, you can let it go: https://news.ycombinator.com/item?id=32001742 That's an interesting post, thanks for sharing. I forgot to link a small technical thread I created explaining my case: https://twitter.com/alexitcdev/status/1696582302267236604 EDIT: Same thread but as an image https://codepreview.io/assets/takehome-challenge-thread.png
