A fake remote job interview led the victim to clone and run a Node.js project containing obfuscated malicious JavaScript. The code collected host details and targeted sensitive data from Solana wallet configuration, Exodus, browser credential stores, Chrome and Brave profiles, macOS Keychain, and application configuration files. Dynamic analysis showed staged downloads from 86.104.74.51:1224, including a backdoor/dropper, a browser-focused malware component whose payload URL was XOR-obfuscated with the key !!!HappyPenguin1950!!!, and a keylogger component. The keylogger watched for browser processes, checked for crypto-wallet mnemonic material, and posted captured data to 95.164.7.171:8637/api/clip, making the case useful for tracking interview-themed developer targeting and credential-theft tradecraft.