The write-up documents a developer recruitment scam presented as DPRK-linked activity under DEV#POPPER, Contagious Interview, and the XCTDH technique. A Discord persona posing as a hiring lead for a React developer role approached targets in developer and crypto communities, used a plausible company and job-posting story, and directed the victim to a GitHub React technical assessment repository. The obvious package metadata and server entry point appeared clean, but dynamic analysis showed the project contacting express-project-ifm6fa.fly.dev after startup. The malicious trigger was hidden in config/database.js, which fetched JSON, extracted obfuscated JavaScript from a description field, and evaluated it as a payload, illustrating how fake interview tasks can hide execution paths outside the files developers usually inspect first.