Stay safe in your job search

RTIdx is community-powered threat intelligence for the recruiter inbox. Paste a suspicious offer or coding-test repository — we return an evidence-backed risk verdict before you ever run the code.

No account needed to scan a repo or browse cases
A sample assessment

From a DM to a verdict — watch it happen.

A real submission, start to finish: the message goes in, the repo is inspected without ever being run, isolated signals get connected into a single attack chain, and an AI layer confirms what’s real.

What you get back is a plain verdict backed by evidence — not a black box. Every conclusion points to something we actually observed.

For developers

Vet a coding-test repo before you clone it — and warn a friend who got the same offer.

For teams

Give recruiters and candidates a safe, on-the-record way to check repositories at scale.

From case 4d3c78ff · 15/05/2026

The threat

The attack is a job offer. The payload runs on your laptop.

Security researchers call it contagious interview. It targets software developers and has stolen browser cookies, SSH keys, crypto wallets, and environment variables from thousands of victims who never knew they had been hit.

How RTIdx works

From a suspicious message to a verdict you can share.

Six stages take a submission from raw thread to public case page. Automation does the heavy lifting; analysts handle edge cases and appeals. Every claim points back to something we observed.

Paste the recruiter thread or drop a repository URL. Nothing runs on your machine — we take it from there.

LinkedIn

Synthetic example — not a real submission.

Paste the recruiter thread or drop a repository URL. Nothing runs on your machine — we take it from there.

LinkedIn

Synthetic example — not a real submission.

Personas, companies, repo URLs, and channels are extracted and anonymized before storage.

  • RecruiterPerson A
  • CompanyOrg B
  • Repogithub.com/org/coding-test
  • ChannelLinkedIn DM

Pressure to run the repo, off-platform moves, and pitch shape are scored as interaction signals — not just file matches.

  • Pressure to run before the call
  • Moves off-platform quickly
  • No formal job description
  • Web3 / AI pitch without substance

100+ static checks across six languages. Retrieved in a locked-down worker, never executed on your laptop.

After sign-in, selected repos are detonated in an isolated VM on our infrastructure — install, entrypoint, and full process, network, and filesystem trace. We observe to the end of the window unless the sandbox itself is at risk.

Isolated findings link into a named attack path — delivery, execution, exfiltration — on a deterministic behaviour graph, with a fast verification pass trimming low-confidence noise.

Install-time data exfiltrationHigh riskstatic analysis

A postinstall hook runs during npm install, reads sensitive paths, and sends data outbound — before you open the repo.

  1. Runs automatically on install or in CIpackage.json:12
  2. Reads credentials, wallet, or keychain dataindex.js:28
  3. Sends data to an external serverindex.js:41

A public case page with risk band, cited evidence, scan coverage, and an appeal path for anyone named.

High risk

Metwaly opportunity offered via LinkedIn recruiter.

Public case with cited evidence, scan coverage, and appeal path.

See a real case →

See a real case →Try a live repo check →

Methodology

A verdict is only worth the method behind it.

Ours is boringly consistent on purpose — grounded in what we actually observed, honest about its own limits, and impossible to quietly game. Four principles hold every case to the same bar.

  1. 01

    Deterministic & reproducible

    The same repository and the same thread always reach the same verdict. No dice rolls, no drift.

  2. 02

    Correlated, not just matched

    A lone signal proves little. It only counts when it chains into a real attack path — delivery to execution to exfiltration.

  3. 03

    Closed by design

    We publish the verdict, not the playbook. The people we catch can't reverse-engineer their way around what they can't see.

  4. 04

    Answerable to a human

    Anyone named in a case can contest it. An analyst reviews the evidence and the call, not an algorithm.

Inspected across
  • JavaScript
  • TypeScript
  • Python
  • Go
  • Ruby
  • PHP
100+
Detection rules
Shown
Scan coverage on every case
04m 12s
Median turnaround
Never
Your code is executed
Research partner

Built with the team measuring this at scale.

RTIdx is a product, not a paper. But its rule set, language classifiers, and persona-clustering methodology come out of joint work with Stony Brook University’s Ethos Security & Privacy Lab. That collaboration has a paper of its own, currently under review.

The engine also inherits the lab’s earlier, independent work — Anansi, which defines the indicator taxonomy and false-positive baselines we build on. We share back what we learn: the rule set, false-positive analyses, and an anonymized research-grade dataset for academic peers. The platform stays defdone’s; the research stays open.

Ethos Lab publication · Feb 2026

Anansi: scalable characterization of message-based job scams.

Abisheka Pitumpe, Amir Rahmati · Stony Brook University

A scalable pipeline for characterizing recruitment-based fraud campaigns at the message level. Defines the indicator taxonomy and false-positive baselines RTIdx’s rule engine inherits.

The researchers
Amir Rahmati

Amir Rahmati

Assistant Professor · Director, Ethos Lab

Amir Rahmati is an Assistant Professor of Computer Science at Stony Brook University and a CISSP-certified security researcher. He earned his Ph.D. from the University of Michigan in 2017 and studies emerging security and privacy threats in computer systems, with an emphasis on practical, deployable defenses. His work has been cited thousands of times — supported by the Air Force Office of Scientific Research, the Office of Naval Research, Samsung, Meta, NVIDIA, and IBM, and featured in MIT Technology Review, the Washington Post, and Bloomberg. He is a Senior Member of IEEE and the National Academy of Inventors.

Abisheka Pitumpe

Abisheka Pitumpe

Ph.D. Candidate · Ethos Lab

“I’m a Ph.D. candidate in Computer Science at Stony Brook University, working in the Ethos Lab under Prof. Amir Rahmati. My research develops methodologies to detect and protect against internet scams, such as pig-butchering schemes. I design automated pipelines that leverage large language models — Mistral, Llama 3, and GPT-4o — to improve scam-classification accuracy, alongside Selenium crawlers that automate scam detection at scale.”

The studio behind RTIdx

The team behind the platform.

defdone is a venture studio — we back promising teams with our own capital and build alongside them. RTIdx is one of ours: incubated in-house and run end-to-end, from engineering and intake to analyst review. The research it stands on comes from our partners at Stony Brook’s Ethos Lab.

A defdone venture

The most interesting companies of tomorrow won’t follow familiar playbooks.

They’ll be built by outsiders, generalists, and operators solving real-world problems in new ways. We invest at the very beginning— before the market fully exists, before the traction, when the only thing that’s obvious is the ambition of the team.

We’re especially drawn to ideas that challenge the status quo in overlooked industries:

LogisticsHealthEnergyPublic infrastructureServices
Portfolio№ 001

One of those ideas — spotted early,
funded by defdone, and incubated in-house. From first rule to public launch, built by the team below.

StageIncubation → launch
Backingdefdone capital
SectorTrust & Safety
defdoneProduct & engineering
Piotr Dziubecki

Piotr Dziubecki

Head of Product
Read bio

Leads product strategy for RTIdx — technology that helps prevent fraud in the interview process. Deep experience across product leadership, enterprise platforms, AI-native systems, blockchain infrastructure, and distributed technology, focused on turning complex trust problems into practical products people can actually use.

Jan Podleski

Jan Podleski

Product Engineer
Read bio

Product engineer who owns RTIdx end-to-end — from case intake through automated analysis to verdict delivery. Full-stack development spanning Web3 integrations, decentralized storage, agentic layers, and AI-powered tools; CS graduate, Poznan University of Technology.

Devendran Muthukumaramani

Devendran Muthukumaramani

Blockchain Technical Product Manager
Read bio

Blockchain technical product manager with 20+ years across enterprise technology and financial services (IBM, Cognizant, Standard Chartered), including 3+ years at Casper Association leading DeFi, NFT, and developer tooling. Contributes across RTIdx product direction, testing, and release — firsthand experience as a target of the recruitment scams RTIdx detects shapes platform design and threat intelligence.

If something feels off, check it
before you run it.

Paste the conversation, the profile, and the repo link. You’ll get a verdict within minutes for clear-cut cases, or a queued analyst review for the edge cases. Free, public, no account required.

Open the report form →
Security researchers & analysts

Open for collaboration.

Building this in public. If you study supply-chain attacks, recruitment fraud, or LLM-assisted detection — or you want access to the dataset export — we’d like to talk.

Get in touch