As devs, we got used to take-home challenges while applying for jobs/projects, some challenges ask you to write code from scratch, others expect you to update an existing project.

Today I had a case where I received a repository where I was asked to do a minor change before discussing the long-term opportunity.

Well, turns out that the build script links a weird pre-start script, paying attention to this I found out that the script was malicious.

One of the things that made me suspicious was the lack of details from the hiring company + getting the take-home challenge without much effort.

All of this got me thinking, there is nothing preventing attackers to create a fake company website/jobs/emails and leverage the take-home challenge approach to infect people.

Have you saw any similar approach?