PSA: Fake Web3 “job assessment” repos can hide malware in .git/hooks — check before you commit - HACK
If you do Web3/Solidity freelance work or take “technical assessments” from clients you don’t know well, watch for this scam.
You get a repo or zip that looks legitimate — Compound-style contracts, token vaults, README asking you to fix issues and commit to an assessment branch. The trap usually isn’t in the Solidity files. It’s in .git/hooks/.
What happens
When you run:
- git commit
- git push
- git checkout
a hidden hook may download and run a remote script in the background (often via curl or wget piped into cmd, sh, or bash). Typical goal: steal browser wallet data, saved passwords, clipboard content, and dev keys from your machine.
This is not a “connect MetaMask on the website” scam. It hits developers who only run git and never open the app.
Names seen in the wild (not a complete list)
Repos are often named like fake company or project assessments (e.g. names suggesting smart contracts, token vaults, or “Bellus”-style DeFi work). The pattern matters more than the exact folder name: fake hiring task + poisoned git hooks.
Check BEFORE any git command
From the repo root:
cat .git/hooks/pre-commit
cat .git/hooks/pre-push
cat .git/hooks/post-checkout
ls -la .git/hooks/
Red flags:
- curl or wget piped to | cmd, | sh, or | bash
- Downloads from an unknown remote server
- Obfuscated shell code
- Custom hook files that aren’t the default *.sample files Git ships
Fresh clones from strangers should only have .sample hooks unless you installed something trusted.
How to protect yourself
- Read every file in .git/hooks/ before your first commit or checkout.
- If you only need to review code, extract the zip and delete the .git folder — or don’t run git at all.
- Use a VM or separate machine for unknown client code, not your daily PC with wallets installed.
- Use a hardware wallet for real funds; don’t enter a seed phrase on a dev machine.
- Be wary of clients who rush you to “commit and send the zip back” without a normal interview process.
- Delete suspicious repos after reporting; don’t keep using git in them.
If you already ran git in a suspicious repo
Treat the machine as potentially compromised:
- Run a full antivirus scan plus an offline boot scan if your AV supports it
- Change email and important passwords from a different, clean device
- Assume any wallet used on that PC may be at risk — use a new seed on clean hardware for future funds
- Revoke old token approvals through your wallet or a reputable approval-revocation toolIf you do Web3/Solidity freelance work or take “technical assessments” from clients you don’t know well, watch for this scam .You get a repo or zip that looks legitimate — Compound-style contracts, token vaults, README asking you to fix issues and commit to an assessment branch. The trap usually isn’t in the Solidity files. It’s in .git/hooks/.What happensWhen you run:git commit git push git checkouta hidden hook may download and run a remote script in the background (often via curl or wget piped into cmd, sh, or bash). Typical goal: steal browser wallet data, saved passwords, clipboard content, and dev keys from your machine.This is not a “connect MetaMask on the website” scam. It hits developers who only run git and never open the app.Names seen in the wild (not a complete list)Repos are often named like fake company or project assessments (e.g. names suggesting smart contracts, token vaults, or “Bellus”-style DeFi work). The pattern matters more than the exact folder name: fake hiring task + poisoned git hooks.Check BEFORE any git commandFrom the repo root:cat .git/hooks/pre-commit cat .git/hooks/pre-push cat .git/hooks/post-checkoutls -la .git/hooks/Red flags:curl or wget piped to | cmd, | sh, or | bash Downloads from an unknown remote server Obfuscated shell code Custom hook files that aren’t the default *.sample files Git shipsFresh clones from strangers should only have .sample hooks unless you installed something trusted .How to protect yourselfRead every file in .git/hooks/ before your first commit or checkout. If you only need to review code, extract the zip and delete the .git folder — or don’t run git at all. Use a VM or separate machine for unknown client code, not your daily PC with wallets installed. Use a hardware wallet for real funds; don’t enter a seed phrase on a dev machine. Be wary of clients who rush you to “commit and send the zip back” without a normal interview process. Delete suspicious repos after reporting; don’t keep using git in them.If you already ran git in a suspicious repoTreat the machine as potentially compromised:Run a full antivirus scan plus an offline boot scan if your AV supports it Change email and important passwords from a different, clean device Assume any wallet used on that PC may be at risk — use a new seed on clean hardware for future funds Revoke old token approvals through your wallet or a reputable approval-revocation tool