Akintomiwa⚡

The invitation from Keila Rosa Garcia Arrieta appeared to be a professional opportunity to upgrade a Web3 social platform from v1 to v2. The project description was detailed, mentioning partnerships with CryptoOasis and a roadmap involving real estate DApps, multi-staking, and AI integrations. The client even provided a high-fidelity Figma design link, making the offer look like a legitimate, high-stakes engineering task. The trap was set within the next step of the interview process. The client requested that I download the MVP v1 repository from a Dropbox link to "familiarize myself with its structure" before meeting with a technical manager. To make the scam more convincing, the folder included the actual Figma design files, creating a false sense of security while looking for technical context. I decided to manually inspect the repository files before running any installation commands. This caution saved my entire infrastructure. Inside the next.config.js file, the code initially looked like a standard Next.js configuration for image whitelisting. However, I discovered a hidden, malicious string on the very first line that was intentionally pushed far to the right so it would be cut off in most code editors. This hidden script used a classic malware pattern. It utilized atob() to decode a Base64 string into a URL, fetch() to download a remote payload, and eval() to execute that payload. Because Next.js config files run automatically during the build process, simply typing npm install or npm run dev would have granted the attacker full execution rights on my machine. The goal of these "job interview" repos is to exfiltrate high-value developer data. They target your ~/.ssh folder, GitHub tokens, AWS credentials, and browser-based crypto wallets like MetaMask. It is a highly effective social engineering attack because it hides behind a professional-looking job description and a legitimate Figma design. Despite reporting this clear threat to Upwork, their Trust & Safety team responded stating they "didn't find a violation of Upwork's policies" and considered the matter closed. This is a dangerous oversight. It means the platform may not be catching sophisticated malware hidden in configuration files, even when it's specifically designed to bypass standard detection. The lesson is clear: you are your own last line of defense. Never trust a repository from a new client, even if it looks legitimate and the platform clears the account. Always search the codebase for the combination of fetch, atob, and eval before you ever initialize a project.

So, I built this with Media Pipe.🫡 It’s a Chrome Extension that uses your webcam to detect when you struggle to read. 😑 Squint → Zoom In 😳 Open Wide → Zoom Out It's currently calibrated just for my face/eyes. If there's enough demand, I’ll try to generalize the calibration or add some setup and launch it on the Chrome Web Store for everyone. Let me know if you’d use it (Tech stack & Architecture in the comments 🧵)

The Billboard and Dashboard sections are fully operational, featuring the Global Map for minting, real-time Stats & Trends, a competitive Leaderboard, and a comprehensive Asset portfolio view. The Community hub drives engagement through a resale Marketplace, a gamified Quests & Airdrop system, and an exclusive token-gated Whale Chat that unlocks for pixel owners. #VectixBoard #Solana #MSImagineCup #BuildInPublic #Web3 #DigitalIdentity #Supabase #NextJS #IndieDev #BlockchainGaming

Just completed the ASI Autonomous Agents Platform for the ASI Alliance Hackathon. The platform features three autonomous agents in healthcare, finance, and logistics. They communicate in real time using the Chat Protocol and MeTTa Knowledge Graph. Live demo: https://t.co/gdAcfHL19Z Source code: https://t.co/p6QN1I3MXY Built with https://t.co/fUS68b8dLY uAgents and SingularityNET MeTTa. #ASIAlliance #AutonomousAgents #FetchAI #SingularityNET