Malware doesn’t always arrive as a suspicious attachment. Sometimes it shows up disguised as a “simple” coding exercise. In recent years we’ve seen attackers target developers with poisoned repositories, backdoored snippets, and interview challenges that quietly exfiltrate data or open a foothold on the reviewer’s machine. Interviews are a perfect target: time-pressure, limited context, and ad-hoc execution environments.

This talk walks through a realistic example of malicious Python embedded in an interview task. We’ll start by reading the code like a reviewer would, and practice building a threat-oriented mindset: What does this line actually do? Why does this dependency exist? What happens if input is controlled? From there, we’ll identify common red flags in Python: suspicious imports, hidden network calls, obfuscation tricks, execution via subprocess, persistence attempts, and abuse of packaging.

Then we’ll move from manual review to verification. Using only free, widely available tools, we’ll run static analysis, dependency checks, and sandboxed execution to confirm (or disprove) our suspicions. Along the way, we’ll discuss what these tools catch, what they miss, and how to interpret noisy results without overreacting.

Attendees will leave with a pragmatic checklist for reviewing interview code safely, a repeatable process for spotting malicious behavior before running anything locally, and concrete guidance on designing safer coding challenges. The goal is not to make everyone a malware analyst, but to help candidates adopt simple habits that dramatically reduce risk without slowing interviews down.