Trust Is the Attack Surface

This afternoon I almost cloned and ran a malicious GitHub repository during what was framed as a fractional CTO interview.

I didn't run the code. The instinct fired at the right moment. But I came closer than I'd like to admit, and the only reason the instinct fired at all is that I happened to have read about this exact attack pattern in a Microsoft Security report two months ago. Without that, I would have cloned the repo, opened it in Cursor, and probably been compromised before the screen share even fully loaded.

What follows is the actual arc of how it played out, what the attack really targets, and the systems lesson that matters more than the attack itself.

Seven days ago, a LinkedIn message from someone named Francisco Cañola, claiming to be a recruiter at Ritual. Ritual is a real company. NYC-based. AI x crypto execution layer. Backed by Archetype with a $25M raise. I know the brand.

The pitch was for a fractional CTO or advisor role. The message specifically referenced my work on token design, regulatory strategy, and operating structures for AI and digital asset companies. Targeted. Not a mass blast.

I responded with the standard set of questions a founder-operator asks before taking an intro call. He answered them well enough. We scheduled the call.

Today was the call. The "hiring manager" joined. Pleasant for the first few minutes. Then came the ask: "Could you clone this repo and run it locally while sharing your screen, so we can walk through your approach?"

I ended the call.

The domain that organized the calendar invite was ritualhub.net. The real Ritual is at ritual.net. Lookalike domain, four characters off.

WHOIS lookup on ritualhub.net returned a creation date of May 18, 2026. Four days before today's call. Registered through Namecheap, default nameservers, DNSSEC unsigned. No legitimate company operates from a four-day-old domain.

The calendar invite was organized by [email protected] but created by [email protected]. Two different accounts, mismatched, both disposable.

The GitHub organization was Ritual-Product. The real Ritual's GitHub is ritual-net. Another typosquat. No commit history that looked like a real product. The repo, MetaPlay, was structured to require execution during a screen share.

The LinkedIn profile for "Francisco Cañola" had a real work history (Verndale, ioet, GDG Quito) likely scraped from a genuine Ecuadorian engineer, grafted onto a fabricated leadership layer. Education listed as starting an art degree in 2026 while supposedly being CEO of a different "Ritual Foundation" since early 2025. The kind of inconsistency you only see if you actually read the profile.

Every layer was a counterfeit calibrated to the next. None of them stood up to scrutiny on their own. All of them composed into something that looked like a real recruiting funnel.

This isn't an isolated incident. It's a documented campaign.

Microsoft Security published a report in March 2026 calling this the "Contagious Interview" playbook. ReversingLabs tracked a parallel attribution they named "graphalgo" in February 2026. Both attribute it to DPRK-aligned threat actors. The mechanics are consistent across hundreds of documented victims:

The campaign targets crypto and Web3 builders, founders, fractional CTOs, and security engineers. The profile they recruit for is the profile they want to compromise. They want machines with wallets, exchange accounts, banking sessions, GitHub tokens, and cloud credentials.

This is the part I want operators to internalize.

The attack surface is no longer code. It's the entire trust chain.

The trust chain has at least five layers:

Each layer has weak verification. LinkedIn doesn't verify employment. Calendar invites don't verify domain authenticity. GitHub doesn't verify that an organization is what it claims. Editors run code on workspace open by design. Package managers run postinstall scripts by design. The OS runs anything the user authorizes.

The exploit composes across all five. A four-day-old domain plus a stolen LinkedIn profile plus a typosquat GitHub org plus a normal npm install is enough to get to root access on a founder's machine. No single layer needs to fail. They all need to look plausible enough to pass casual inspection together.

This is structurally different from old-school phishing, where the failure mode was usually one bad link. Here, the failure mode is a coordinated assembly that looks like a normal Tuesday in tech.

The market is starting to realize this, but slowly. Most security advice still operates as if "don't click suspicious links" is the threat model. The actual threat model is "don't trust composed identity across five independent systems with weak verification at each layer."

After the call, I went through standard incident-response motions. I deleted the downloaded repo. I checked process lists. I checked persistence vectors. Mostly clean.

Then I found something unrelated. A LaunchAgent on my machine called com.driverpatch.plist, dated September 24, 2025. Eight months old. Pointing at a script in /var/tmp/CDrivers/drivfixer.sh that no longer existed. The plist had clear malware tells: corrupted DOCTYPE template substitution that left the string "APP_1795le" where "Apple" should have been, plist version 2.0 (real ones are 1.0), label mismatched against filename, payload path in /var/tmp/ which no legitimate driver software would use.

It wasn't loaded. The script it referenced was gone. Either it self-deleted after running, or macOS garbage-collected /var/tmp/ thirty days after the script went idle. Eight months of orphaned persistence, dead for most of it.

I have no memory of how it got there. Most likely a cracked utility, a fake codec installer, or a malicious one-liner from a Stack Overflow answer or sketchy GitHub README that I dismissed in the moment and forgot. Sometime in late September 2025.

The lesson there is its own kind of structural. Most operators carry forensic artifacts they don't know about. Most are dead. Some aren't. The only way you find them is by looking, and you usually only look when something else triggers an investigation. The fake interview today did its job in reverse: it gave me a reason to audit, and the audit found something unrelated that had been quietly sitting there for two thirds of a year.

This is the practical part.

Sandbox by default for any new code. GitHub Codespaces, a dedicated cloud VM, or a Mac mini you don't care about. Not your daily driver. The cost of an extra layer is fifteen seconds. The cost of skipping it is whatever was on your machine the day you got hit.

Treat hardware wallets as standard for any real holdings. If you have meaningful crypto and you're storing it in MetaMask or Phantom on the same machine you use for everything else, that's no longer the right posture. Ledger or Trezor, with seeds never typed on a connected device. Software wallets are for testing and small balances.

Cover your webcam. Five-dollar magnetic slider. One-time install. The number of malware variants that grab a webcam frame at boot is non-trivial. The eight-month-old artifact on my machine had a label called com.webcam. I don't know what it did. I'm glad I'll never need to know.

Audit your LaunchAgents and LaunchDaemons once a quarter. Two commands:

Eyeball the output. Anything you don't recognize, dump the plist contents, follow the path it references, decide if it's yours. Quarterly is enough. The orphaned artifact on my machine would have been caught in October 2025 if I'd done this.

Run WHOIS on any domain that contacts you about an opportunity. One command. Five seconds. A four-day-old domain is dispositive in either direction.

Trust the instinct on the call. If something feels off, leave. You will not be punished by a legitimate company for ending an awkward conversation. You will absolutely be punished by a malicious one if you stay.

The deeper pattern is this.

The economics of online recruiting and remote-first work have made the trust chain commodifiable. Recruiters reach out. Calendars get booked. Codebases get cloned. Editors open folders. Postinstall scripts run. All of this is normal. All of it is necessary for how distributed teams actually operate. The same operational reality that makes remote work possible is what makes this attack profitable.

The market hasn't built the verification infrastructure to match. We have cryptographic attestation for code signing on macOS. We don't have anything equivalent for identity attestation on LinkedIn, domain provenance on calendar invites, organizational provenance on GitHub orgs, or trust hierarchies on workspace open in editors. Each of those is technically possible. None of them is deployed.

That gap is the attack surface. And the gap closes slowly because no single platform owns the whole chain, and the platforms that own individual layers don't have incentive to verify what happens upstream or downstream of their layer.

In the meantime, the defense is operational. Cover the webcam. Sandbox the code. Hardware-isolate the wallets. Audit the persistence. Trust the instinct.

The next version of this will not look like a recruiter. It will look like a customer, an investor, a partner, a journalist. Same trust chain, same composition pattern, different cover story. The mechanics generalize.

This is ultimately an infrastructure problem. The trust chain has no verification layer. Until it does, the operational discipline is the only thing standing between a normal Tuesday and a compromised machine.

The instinct caught it. The instinct caught it because I'd seen the pattern before. The reason to write this is so the next person on the receiving end has seen the pattern before too.

If you got this far and want the technical indicators of compromise, all of them are public in the report I filed with the FBI's IC3 today. The fake recruiter, the lookalike domain, the GitHub org, the calendly handle, the dropped Google Doc. All searchable, all already in the campaign tracking databases at Microsoft Security and ReversingLabs.

The campaign is ongoing. It will reach you eventually. The question is whether you've seen the pattern before it does.