These past months, I've seen several social media posts about people getting scammed during coding challenges or take-home tests. The cases usually involve cloning a GitHub repository that claims to contain the coding challenge and being asked to run the code, which actually contains malware or steals your data.<p>Do you have any advice on how to protect ourselves from this? Are there any recommended tools to scan such code? Is regular antivirus software sufficient?<p>I've seen several suggestions, such as always running this type of code in a VM or emulator. However, I think this solution only isolates the environment. Ideally, we need a way to determine if the code is malicious so we can decide to abandon the interview if it already seems suspicious.
It takes quite a bit of effort to determine that a repo is free of malware - very likely more effort that the coding challenge itself. And I would not rely on antivirus software.<p>Checking the background of the hiring company may help. Check the investors, board of directors, founders to make sure they are real and have a backstory. Search TeamBlind or Glassdoor for complaints.
I’d say only complete coding challenges that are sent directly from a prospective employer or that you yourself access via a coding challenge site. I’d never click on a coding challenge link posted in a social media link.
Remember that interviewing goes both ways. If an employer showed this level of incompetence at the interview stage, do you really want to work for them?