A fake Web3 recruiting process led a freelance developer to run a project that installed malware through an unfamiliar npm package named process-log. The package started a second Node.js server, fetched obfuscated JavaScript from npoint.io JSON endpoints, and executed the returned "cookie" content with eval. The payload opened a persistent websocket, searched for browser cookies, Electron data, keychains, SSH keys, secrets files, and Web3 project material, then uploaded collected data to attacker infrastructure on a 15-second loop. The victim responded by wiping the workstation and rotating API keys and passwords, making the case a practical example of recruiter-led supply-chain compromise against developers.