Uncovering a Web3 Interview Scam
Contents
Threat Intelligence: Uncovering a Web3 Interview Scam
Author: Joker & Ccj
Editor: KrsMt
Background
On August 9, 2025, a community member was asked during the first round of an interview with a self-proclaimed Ukrainian Web3 team to locally clone a GitHub repository. Suspecting potential security issues in the repository’s code, the member recently reached out to the SlowMist security team for assistance.
We promptly analyzed the GitHub open-source project (EvaCodes-Community/UltraX) and confirmed the existence of malicious components. With the member’s consent, we issued a security advisory.
Analysis
We first visited the project’s GitHub repository: https://github.com/EvaCodes-Community/UltraX. From the recent changes, we noted that the latest version replaced the original [email protected] dependency with a newly introduced package [email protected].
The [email protected] NPM package had already been removed by the NPM security team for containing malicious code.
The [email protected] package was newly published.
When visiting its GitHub repository, we found that the source code had been deleted, raising further suspicion about its legitimacy.
Upon analysis, …
Author: Joker & Ccj
Editor: KrsMt
Background
On August 9, 2025, a community member was asked during the first round of an interview with a self-proclaimed Ukrainian Web3 team to locally clone a GitHub repository. Suspecting potential security issues in the repository’s code, the member recently reached out to the SlowMist security team for assistance.
We promptly analyzed the GitHub open-source project (EvaCodes-Community/UltraX) and confirmed the existence of malicious components. With the member’s consent, we issued a security advisory.
Analysis
We first visited the project’s GitHub repository: https://github.com/EvaCodes-Community/UltraX. From the recent changes, we noted that the latest version replaced the original [email protected] dependency with a newly introduced package [email protected].
The [email protected] NPM package had already been removed by the NPM security team for containing malicious code.
The [email protected] package was newly published.
When visiting its GitHub repository, we found that the source code had been deleted, raising further suspicion about its legitimacy.
Upon analysis, …
IoC
https://github.com/taqveemahsan/UltraX
http://172.86.64.67:4181
http://144.172.112.106:1224/client/5346/64
http://172.86.64.67
https://github.com/kylengn/UltraX
http://144.172.112.106
http://172.86.64.67:4186/upload
https://www.npmjs.com/package/redux-ace
http://172.86.64.67:4188/upload
http://144.172.112.106:1224/pdown
http://to172.86.64.67
https://github.com/EvaCodes-Community/UltraX
http://from144.172.112.106
http://172.86.64.67/api/service/process/
http://172.86.64.67:4187/upload
https://api.npoint.io/96979650f5739bcbaebb
http://172.86.64.67/api/service/makelog
144.172.112.106
172.86.64.67
af46c7917f04a9039eb0b439a7615ec07b7ad88048cb24fe23c454c16dffcd57
http://172.86.64.67:4181
http://144.172.112.106:1224/client/5346/64
http://172.86.64.67
https://github.com/kylengn/UltraX
http://144.172.112.106
http://172.86.64.67:4186/upload
https://www.npmjs.com/package/redux-ace
http://172.86.64.67:4188/upload
http://144.172.112.106:1224/pdown
http://to172.86.64.67
https://github.com/EvaCodes-Community/UltraX
http://from144.172.112.106
http://172.86.64.67/api/service/process/
http://172.86.64.67:4187/upload
https://api.npoint.io/96979650f5739bcbaebb
http://172.86.64.67/api/service/makelog
144.172.112.106
172.86.64.67
af46c7917f04a9039eb0b439a7615ec07b7ad88048cb24fe23c454c16dffcd57