The Job Interview Is the Attack
There’s a new way into your organization, and it doesn’t start with a phishing email or a malicious attachment. It starts with a job offer.
Attackers posing as recruiters are approaching software developers on LinkedIn, walking them through a real interview, and sending a “coding challenge” that quietly installs malware. LMG Security’s Director of Penetration Testing, Tom Pohl, uncovered the campaign after a contact forwarded a suspicious interview repository. It was not a one-off. The compromise happens during hiring — before the candidate is ever on your payroll. As LMG Security founder Sherri Davidoff puts it: “We must secure our human supply chain.”
By safely monitoring the attackers’ own infrastructure, LMG observed 22 unique compromised endpoints across 11 countries in just three days (June 2–4, 2026), spanning Windows, macOS, and Linux/WSL2 — from Germany and India to the U.S., Ukraine, Japan, Ireland, and Finland. This is a live, global, active operation.
From the LMG Security whitepaper: 22 endpoints, 11 countries, and 3 platforms observed in three days.
Here’s why it belongs on your radar even though the target isn’t your employee yet. When a candidate is compromised before they’re hired, the risk can follow them straight into your organization through:
- Reused credentials — stolen passwords that still unlock corporate systems.
- Stolen MFA material — session cookies and tokens that bypass authentication.
- Scraped tokens — API keys and access tokens harvested from developer tools.
- An infected endpoint — a personal device that later touches your systems during onboarding or remote work.
“They’re already kind of damaged goods,” Pohl says. “Before you even show up, they’re already compromised — and they don’t even necessarily know it.”
That’s what makes this so effective. The victim never clicks a sketchy link or opens a strange file. They follow the normal steps of a coding challenge, the same workflow developers run all the time. And because the malware grabs what it needs and leaves rather than digging in, the theft is easy to miss and hard to trace back to the interview.
The takeaway for security leaders: your next great hire could come with someone else’s breach. Hiring and onboarding belong inside your security program, not beside it.
Over the next few posts we’ll break this down piece by piece: the fake persona, the message that lowers your guard, the install step that pulls the trigger, what the malware steals, and what you can do about it.
Go deeper
Read the full technical analysis — the complete attack chain, indicators of compromise, and how our team decoded the payload — in the LMG Security whitepaper at LMGsecurity.com, in our Resources section. And hear Tom and Sherri break it down on the Cyberside Chats episode, “Damaged Goods: When Your New Hire Is Already Compromised.”
