An adversarial coding test
2026-01-21 • Runjak •
https://runjak.codes/posts/2026-01-21-adversarial-coding-test/
A suspicious developer coding test used VS Code task definitions to pipe OS-specific commands from Vercel-hosted endpoints into shell or cmd, creating a likely script-execution risk for job applicants. Repository history showed several infrastructure variants, including Vercel-hosted codeviewer and platform domains, plus a Linux chain that retrieved tokenlinux.sh and used a short-lived JWT. The activity fits social-engineering tradecraft seen in developer-targeting campaigns where interview tasks or coding assessments are used to execute remote commands and stage follow-on payloads.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 87539eefa9ed1f0c2ba29b5cff9010e… | 2026-01-21 | 2026-01-21 |
| HASH | 11b4a10208d87d32ffee8a59132c4d9… | 2026-01-21 | 2026-01-21 |
| HASH | 1f09787fa3e41dc66c253bd9c7eb6d8… | 2026-01-21 | 2026-01-21 |
| URL | https://codeviewer-three.vercel… | 2026-01-21 | 2026-01-21 |
| URL | https://vscode-lnc.vercel.app/t… | 2026-01-21 | 2026-01-21 |
| URL | https://jerryfox-platform.verce… | 2026-01-21 | 2026-01-21 |
| URL | https://codeviewer-three.vercel… | 2026-01-21 | 2026-01-21 |
| URL | http://codeviewer-three.vercel.… | 2026-01-21 | 2026-01-21 |
| URL | https://codeviewer-three.vercel… | 2026-01-21 | 2026-01-21 |
| URL | https://codeviewer-three.vercel… | 2026-01-21 | 2026-01-21 |
| URL | https://jerryfox-platform.verce… | 2026-01-21 | 2026-01-21 |
| URL | https://jerryfox-platform.verce… | 2026-01-21 | 2026-01-21 |
| URL | https://vscode-lnc.vercel.app/t… | 2026-01-21 | 2026-01-21 |
| URL | https://vscode-lnc.vercel.app/t… | 2026-01-21 | 2026-01-21 |