SlowMist has identified a malicious campaign targeting developers through fake Web3 job offers. Attackers impersonated recruiters on LinkedIn, gaining trust by discussing work experience and interviews before sending a GitHub repository disguised as an 'interview MVP'. The repository contained a hidden Node.js loader in the theme/js/auron-core.min.js file, masquerading as a Tailwind plugin. When executed, it deployed payloads to steal browser credentials and wallet data, collect sensitive files, execute remote commands, and monitor clipboards. SlowMist advises developers to scrutinize project scripts, dependencies, and build configurations before running unknown code.