Runjak.codes: An adversarial coding test

Summary

Table of contents Prelude This morning when scrolling the Fediverse a post by 0xabad1dea caught my attention: ⬅️ A post reading: so it turns out that when VS Code asks you "do you trust the authors of this folder?" what they mean is that it'll auto-execute .vscode/tasks.json if it exists, which can include shell commands. maybe that's too many features. you can't hold all these features. put a few features back ➡️ 🔎 The confirmation dialog in question looks like this: ⬅️ Screenshot of the vscode trust dialog. It mentions that trusting the authors can lead to the automatic execution of files. ➡️ 🔎 Happenstance is that I’m currently looking for a job. I’ve been in talks. Or, in this case, I was led to believe I was 🙃. There were some interesting technical aspects, some business background but little info about the company. So we continued talks until I was given a name and access to a repository for some coding exercise. Enter Solvolabs ⬅️ Screenshot of the solvolab.com website taken 2026-01-21. ➡️ 🔎 Yeah - I searched the company and this is what their website looked like. To me this is the visual language of Blockchain/NFT scams mixed with the butthole motifs that AI companies like so much. So thankfully my suspicions where raised when I checked out the repository for the coding challenge. Note: it could be that the GitHub organization of the same name and the company Solvolabs are unrelated. It fits a narrative though. Tangent, phishing It is my belief that given enough time and chances we will just click a button.Phishing training and vigilance can only do so much. One day we will be distracted or tired and click the wrong button at the wrong time.This is why the Hierarchy of controls is like it is and why phishing trainings are often so useless.This time I was lucky though. The smoking gun My first step was to look at the history of .vscode/tasks.json. I hoped that this would highlight exciting changes and shortcut having to scroll through the entire file. ⬅️ The ...