Lumanagi: Downloader Concealed in Tailwind Config, Delivered via Fake DeFi Interview
“The blueprints were genuine. The building was not.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn approached the researcher with a Technical Manager role at a fabricated DeFi company, offering $25,000 USD per month and directing the target to a Calendly booking page operated under the handle devs_empire. The actor shared a Bitbucket repository - lmng2026 - as the basis of a technical interview, presenting a polished, fully-designed DeFi platform called Lumanagi to establish credibility. The repository contained two independent execution paths: a VS Code folder-open task and a build-chain payload hidden in tailwind.config.js. The first path requires only opening the repository in a trusted VS Code workspace where automatic tasks are allowed; the second executes during normal frontend start or build activity. Neither requires the target to explicitly run the concealed payload file. ...