At first I thought this was more clever than it was. Taking people into running downloaded or attached exe files is simple and apparently still effective.
But what would be even more wicked, and effective would be pointing them to a GitHub repo with the “challenge” project to complete, and referencing a compromised package that does their bidding as the victim tests their solution.
Yeah I was thinking about that. Even asking me to use a specific package for any reason, I probably wouldn't think much of that before today. However now I'd certainly question it.
But what would be even more wicked, and effective would be pointing them to a GitHub repo with the “challenge” project to complete, and referencing a compromised package that does their bidding as the victim tests their solution.