Similar for me. One was for an overly very well paid position. I always run (p)npm audit before running npm repos, so lots of issues were found. I tried to fix them but I would have gone over the time limit. So I asked the recruiter about it and if it makes sense to run it in an isolated VM. No answer...

The other was for a DevEx crypto service. While I was very suspicious the code looked okay but the recruiter was strange and changed their profile to a different person eventually. I think this was a crypto stealing scam though since it required connecting to a wallet. I don't have any crypto though, so I might be okay for now. Although reinstalling my system clean would be the only sure way in theory...

The big red flag should be giving github access before signing any contracts.