SlowMist analyzed a Web3 interview lure in which a self-proclaimed Ukrainian team asked a target to clone the EvaCodes-Community/UltraX GitHub repository. The project replaced a previously removed malicious dependency, [email protected], with [email protected], whose code decrypted and executed obfuscated JavaScript from a LICENSE file. The package harvested browser data, cryptocurrency wallet files, Keychain material, Exodus wallet data, credentials, clipboard and screen data, and sent results to attacker-controlled infrastructure. Additional modules downloaded Python payloads, checked for virtualized environments, opened socket.io command channels, and supported command execution through servers including 144.172.112.106 and 172.86.64.67. The body does not attribute the activity to a DPRK actor, but the developer-interview lure and crypto-wallet theft make it relevant to Web3 hiring-scam and asset-theft monitoring.