Think Before You Run npm install in Tech Interviews

(NOTE: The links will probably stop working eventually, since these hackers wouldn’t want to expose their methods.)

Quick tip for anyone going through tech interviews:

Never, and I mean never, run random npm install scripts or npm run dev commands from company repositories when completing technical tasks.

For example, something like this:
https://bitbucket.org/react_test_hiring/react_test_hiring/src/main/

At first, it might seem like a simple React project, but if we dig deeper, we can quickly find some strange scripts required to run the app:

When you decode the base64 string:
aHR0cHM6Ly9hdXRoLXBoaS1zd2FydC52ZXJjZWwuYXBwL2FwaQ==, it reveals: https://auth-phi-swart.vercel.app/api

…which could, in fact, be malware and potentially give full access to your account and machine depending on how you run it:

If a company insists that you run some random repository on your machine, you can simply refuse, or at the very least, scan such repositories first using your CLI AI agent before running anything.