Vercel

“The branches diverged; the payload did not.” Executive Summary This report analyzes two GitHub repositories discovered through follow-on hunting after ThreatProphet’s investigation of the Interexy-branded Gamifly lure: hxxps://github[.]com/LimitBreak-Solutions/AjunaVerse hxxps://github[.]com/AlchemyGlobal/AlchemyMVP The repositories were not directly delivered to the investigator during a recruitment interaction. They were identified by pivoting on Git commits, repository structure, poker-game artifacts, VS Code execution patterns, and malware-loader code preserved in the Gamifly lineage. Both were acquired as forensic Git mirrors on June 9, 2026. ...

“The game stayed the same; only the organization name, gate, and dealer address changed.” Executive Summary This report analyzes an Interexy-branded fake developer recruitment operation that delivered a GitHub repository named Gamifly during a remote interview workflow. The engagement began with a LinkedIn job offer, moved to Calendly for interview scheduling, and culminated in a repository link shared during the call. A subsequent GitHub search identified a second repository under a slightly different organization name: ...

“What was given as work concealed its blade in the hidden hooks.” Executive Summary This report analyzes a PawCommerce-themed developer-task lure delivered during a fake recruitment workflow. The initial contact occurred through LinkedIn, where a recruiter persona using the display name Nathaniel Nicdao asked whether the target would be open to a brief conversation and requested a CV or resume. The LinkedIn profile was later unavailable. A subsequent Google Calendar invitation used the persona Mark Harris <mark.harris.workspace@gmail[.]com>, and the development task was delivered through a OneDrive share displaying the account name Mimori Okamoto. The OneDrive page hosted a ZIP file named pawCommerce.zip. ...

The face was changed, yet the hand was known. Executive Summary A threat actor impersonating DLabs Hungary conducted a targeted recruitment campaign against a developer, using a purported CTO/team lead opportunity to deliver a malicious GitHub repository. The legitimate DLabs Hungary company is not assessed to be involved in this activity; the name was used as social-engineering cover by the threat actor. The repository was shared during a live interview call, with access granted long enough for the target to clone it. The repository contained VS Code workspace tasks configured with runOn: folderOpen, meaning the tasks could run when the folder was opened in a trusted workspace and automatic task execution was allowed. ...

“This was not a new work, but an old hand returning by familiar paths.” Executive Summary A threat actor operating a LinkedIn recruiter persona, assessed with low-to-medium confidence as DPRK-linked and consistent with Contagious Interview / TraderTraitor-style activity, targeted developers through a multi-stage social engineering lure. The initial LinkedIn message delivered a Google Drive-hosted project overview / job description PDF and a Calendly scheduling link. The malicious GitHub repository, Dravion-Core hosted under the organisation Intraverse-Dev-Tech-Hub, was subsequently shared during the follow-on call rather than in the initial message. The repository deploys two independent execution routes that deliver the same payload via separate C2 infrastructure, in a structure near-identical to TP-2026-004 (BetPoker). ...

“The table is set like an altar, and whoso sits there is counted among the damned.” Executive Summary A threat actor operating under the GitHub organisation LimitBreakOrgs used a repository named bet_ver_1, publicly described as “BetPoker”, as a malicious Web3 gaming assessment project. The organisation name appears designed to resemble limitbreakinc, the legitimate GitHub organisation associated with Limit Break Inc., a Web3 gaming company. The preserved repository presents as a Web3 poker and sports betting platform and contains two independent execution routes: one through a VS Code folder-open task, and one through backend startup via npm start. ...

“He came as a messenger with gifts, and the birds grew fat.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn approached developers with a CTO-level opportunity at a fabricated Japanese e-commerce company. After establishing credibility through a polished project brief, the actor shared a GitHub repository named Japanese-Royal as part of a technical interview, directing the target to review and run the codebase. The repository contained a multi-stage implant reachable through several routine developer actions, including VS Code folder-open tasks, npm lifecycle hooks, normal startup scripts, and direct server execution. ...