I was likely targeted by DPRK in a sophisticated developer malware campaignSkip to content
/dev/random
Table of contents
On this page
On this page
On 25 May 2026, I received a remote smart-contract-security recruiting email from “Olivia Ben” at “Pulsynk.” It asked me to clone a GitLab repository called rekt-db and open it in VS Code or Cursor. The repository turned out to contain a hidden folder-open task, a malicious extension installer, and native wallet/credential-stealing binaries for macOS and Linux.<br>I did not run it. The mechanics are consistent with DPRK developer-targeting campaigns such as Microsoft’s Contagious Interview (MITRE G1052), but I am treating the attribution as tradecraft similarity, not proof of operator identity.<br>Methodology note<br>I treated the email as suspicious from the outset, but I did not start with a dedicated research VM. I opened the GitLab repository through my hardened browser and browsed the files there. Once I noticed the .vscode/tasks.json folder-open task and the env.sh script containing base64-encoded material, I stopped manual inspection and handed the analysis to Kimi 2.6 in Agent mode, which runs with its own sandbox. I did not execute any of the scripts or binaries on my workstation. Static analysis was then supplemented with Kimi 2.6, and I uploaded the relevant samples to VirusTotal for additional analysis.<br>I reported the repository to GitLab Trust & Safety (abuse@gitlab.com), notified Advin Servers (abuse@advinservers.com) as the hosting provider for the C2 IP, and submitted a report to the Swiss National Cyber Security Centre (NCSC). I do not expect a follow-up from NCSC, but reporting it there still creates a record.<br>The email<br>I am not looking for a new job. What made me curious was how this landed in my mailbox at all: Proton Mail usually catches spam and phishing attempts quite effectively, but this one went straight to the inbox.<br>The email followed a template now familiar to anyone tracking developer-targeted social engineering. The sender used a plausible name, a fabricated company with a live website (pulsynk.org, archive), and a salary figure calibrated to attract experienced security engineers. The website immediately gave me AI slop vibes, but ironically that also matched what I might expect from a very early-stage startup trying to look bigger than it is.
Email message<br>Hi denysvitali,<br>After reviewing your GitHub profile, I believe your background and experience make you an excellent fit for this opportunity.<br>Pulsynk is hiring a Smart Contract Security Engineer (Foundry / Anchor) on a remote basis. The role centers on rekt-db, our open dataset of on-chain exploits with structured post-mortems and PoC scaffolding for Foundry and Anchor.<br>The role focuses on curating exploit metadata, writing precise post-mortems, and shipping reproducible PoCs in Foundry or Anchor. Strong Solidity or Anchor fundamentals, and comfort reading complex exploit traces, are required.<br>Clone the repo below, review the code, and let us know your strengths, your honest opinions, and the ideas you would bring. Strong candidates start with a 3-month paid onboarding at 8K USD / month, and join the team full-time on successful completion.<br>The repository currently has a single baseline commit by design -- we are still at the startup stage, and this scaffold is the test project we share with each candidate so we can compare approaches and pick the engineer who will own the next iterations.<br>v1.0 ships in 4 weeks. We are looking for engineers who can help us reach that milestone.<br>Open it in your editor<br>VS Code<br>git clone hxxps://gitlab[.]com/pulsynk-org/rekt-db[.]git && cd rekt-db && code .Cursor<br>git clone hxxps://gitlab[.]com/pulsynk-org/rekt-db[.]git && cd rekt-db && cursor .How to apply<br>If this looks relevant, reply with a CV or a brief note about your background and we will take it from there.<br>Looking forward to hearing whether the role is a fit.<br>Thanks,<br>Olivia Ben<br>Pulsynk<br>© 2026 Pulsynk<br>One-time outreach based on public GitHub activity. Reply "no thanks" and we will not contact you again.
I intentionally defanged the repository URL above so the commands are not directly copy-pasteable, although this post should already be a good reminder not to copy and paste random commands from strangers anyway.<br>Why it reached the inbox<br>The headers explain why this did not look obviously suspicious to mail filtering:<br>Header signalValueDelivery timeMon, 25 May 2026 07:35:03 +0000Sending serviceMailgunSending IP159.135.228[.]5Return-Pathbounce+...@hr.pulsynk.orgDKIMpass, signing domain hr.pulsynk.orgSPFpass, smtp.mailfrom=hr.pulsynk.orgDMARCpass, policy p=noneFromOlivia Ben Senderoliviaben@hr.pulsynk.orgReply-Toalex@pulsynk.orgProton spam score0Proton actioninbox<br>The important point is that email authentication only proves that the message was authorized by the domain sending it. It does not prove that the company is real, that the recruiter is legitimate, or...