NCSC-CH Week 23: coordinated surge in job-seeker targeting — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery

NCSC Switzerland's Week 23 report (9 June) documents three concurrent technique chains aimed at job seekers in Switzerland (NCSC-CH, 2026-06-09). The first sends fake interview-confirmation emails for plausible Swiss employers, linking to a counterfeit Google login that harvests credentials (T1566.002, T1078). The second uses fraudulent job offers demanding identity documents for "onboarding," with stolen Swiss IDs then used to order goods and run parcel-reshipping (freight-forwarder) fraud. The third operates through compromised LinkedIn recruiter profiles that direct candidates to download a "technical assessment" or "onboarding" GitHub repository carrying infostealer malware that targets crypto wallets, browser cookies and saved credentials (T1566.003, T1059.001, T1555). NCSC notes attackers systematically exploit applicants' urgency and unfamiliarity with new-employer processes to lower vigilance.

Why it matters to us: the LinkedIn→GitHub chain is a credible vector into corporate endpoints via employees in job-search mode and HR/talent teams handling external candidate code. Detection signal: git clone / GitHub downloads followed by script execution minutes after a LinkedIn contact (Sysmon EID 1, parent git.exe / python.exe from a freshly-cloned path). This is a national-CERT primary disclosure for its own jurisdiction.