Pattern database

Scam and malicious-repo patterns to check before you trust.

Short, practical notes on the techniques scammers use across messages, recruiter outreach, and unknown codebases.

Fake recruiter scripthigh

Fake Recruiter Take-Home Trap

A fake hiring conversation pushes the target to clone, install, or run a repo presented as a take-home task or broken project.

First seen: 2026-05-13Updated: 2026-05-19
npm postinstallhigh

npm Postinstall Credential Stealer

A package install hook runs before the app starts, giving malicious code a chance to read local files, tokens, or browser data.

First seen: 2026-05-19Updated: 2026-05-19
Dynamic executionhigh

Obfuscated Eval Loader

Code decodes strings at runtime and executes them dynamically, hiding the actual behavior from a quick source review.

First seen: 2026-05-19Updated: 2026-05-19
SVG payloadhigh

SVG Comment Payload Loader

Executable code is split across SVG comments, decoded by startup code, and executed when a developer runs the project.

First seen: 2026-05-19Updated: 2026-05-19
Telegram crypto baithigh

Telegram Crypto Investment Bait

A Telegram conversation or group uses urgency, fake profits, and guaranteed returns to push the target into sending crypto.

First seen: 2026-01-05Updated: 2026-01-05
Recruiter impersonationmedium

LinkedIn Impersonation Recruiter

A profile claims recruiter authority while the message avoids verifiable details and pushes the target toward unsafe next steps.

First seen: 2026-05-13Updated: 2026-05-13