SlowMist analyzes a LinkedIn recruiting lure that pushed a blockchain engineer toward a Bitbucket project for a supposed Socifi game and staking platform. The repository hid a malicious payload far to the right of an otherwise normal-looking server.js line, then executed it when the victim ran npm start. Dynamic analysis captured C2 traffic to 216.173.115.200:1244, follow-on downloads such as test.js and Python payload components, and scripts intended to maintain persistence. The malware collected host and environment data, stole browser and wallet-extension material, looked for SSH private keys and saved credentials, and prepared for crypto-asset theft.