A fake LinkedIn recruiter posing as a 0G Labs representative targeted a crypto/Web3 CEO with a technical assessment that required cloning a Bitbucket repository and opening it in VS Code or Cursor. The repository hid three independent execution paths: a VS Code folder-open task that piped a Vercel stager into Node, an npm prepare hook, and route code that exfiltrated process.env secrets before executing server-supplied JavaScript. The captured BeaverTail chain fingerprinted the host, beaconed every five seconds to 104.192.42.117:3000, received a second-stage Node.js bootstrapper, and attempted to run an in-memory C2 agent with hidden child processes, ID rotation, and a kill switch. Operators killed the analysis sessions after recognizing AWS datacenter infrastructure, showing active victim triage tied to the DPRK Contagious Interview campaign.