Last week I received a take-home assignment from a company calling itself a real estate technology firm. The email was well-formatted. The instructions were plausible. The package was a zipped Node.js project with a README that asked me to implement a data ingestion feature and return the result within forty-eight hours. Standard stuff. I've done thirty of these in the past year. I did not run it. What I found instead, after twenty minutes of static analysis, was a three-stage infostealer with a persistent socket backdoor, a browser credential exfiltration loop, and a recursive filesystem sweeper that specifically prioritizes ~/development , ~/Development , ~/Documents , and ~/Desktop — in that order — before crawling the rest of your home directory for anything matching the words "wallet," "private_key," "seed," "api_key," "token," ".env," or "password." The payload was 3.8 MB of obfuscated JavaScript. The legitimate-looking feature request was the delivery mechanism. The take-home was the pretext.…