Fake Python Coding Tests Installed Malicious Software Packages From North Korea (scmagazine.com) 22
"New malicious software packages tied to the North Korean Lazarus Group were observed posing as a Python coding skills test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware," reports SC magazine:
Researchers at ReversingLabs explained in a September 10 blog post that the scheme was a follow-on to the VMConnect campaign that they first identified in August 2023 in which developers were lured into downloading malicious code via fake job interviews.
More details from The Hacker News These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase... It's implemented in the form of a Base64-encoded string that obscures a downloader function, which establishes contact with a command-and-control server in order to execute commands received as a response.
In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes. This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs."
More from The Hacker News Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation. It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.
More details from The Hacker News These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase... It's implemented in the form of a Base64-encoded string that obscures a downloader function, which establishes contact with a command-and-control server in order to execute commands received as a response.
In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes. This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs."
More from The Hacker News Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation. It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.
And that was the test (Score:5, Funny)
test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware
You imported the module without checking it out? No job for you.
Re: (Score:3)
It's pretty much the standard for developers these days. Did you check the signature? Did you at least check the checksum?
Most have no idea what I am talking about.
It's a general tendency nowadays to blindly believe in technology. We've been infiltrated so even people in the field act like outsiders average citizens.
Re: (Score:2)
This has been a thing for decades. People have been obtaining packages and throwing them on their system, not even considering the source. Most of the time, no harm, no fowl, but you do get the Trojan horse. It would be nice if people ran a "rpm -K" or the Debian/Ubuntu equivalent, or even better a GPG scan, after checking keys, making sure the key is genuine and all that.
Re: (Score:2)
Your word choice is rather foul.
Re: (Score:3)
Well he used the "rpm -K" term. I can't tell for sure but I am an old slackpkg fan although nowadays I have become accustomed to use apt/apt-get/aptitude more often.
I guess I am lucky to have gotten to touch redhat systems seldom but I have occasionally.
My all time favorite will always be IBM's smitty!
Re: (Score:2)
To be fair, most of the time when you download a package you don't also get a chicken...
Though the package is sometimes a turkey.
Re: (Score:2)
This has been a thing for decades. People have been obtaining packages and throwing them on their system, not even considering the source. Most of the time, no harm, no fowl, but you do get the Trojan horse. It would be nice if people ran a "rpm -K" or the Debian/Ubuntu equivalent, or even better a GPG scan, after checking keys, making sure the key is genuine and all that.
I've decided that this is what separates a coder from a systems person. Coders are the people who can hyper focus on just writing the software and do not care about the fact that there are wider consequences. They just don't think about it. The simple fact is that since they focus on the one thing they do generate code much faster. The fact also is that someone else has to deal with the consequences. Race to the bottom and all that kind of stuff.
Re: (Score:2)
Indeed. "Developers", my ass. Most of these people are clueless clowns.
Not that this is new: https://blog.codinghorror.com/... [codinghorror.com]
Even worse with javascript (Score:2)
For a long time now people have been writing web code that just blindly downloads js modules from randomsite.com with zero checking. At least with a manually downloaded module with python the option is there to check it with the checksum but the web offers no such protection - its take your chances and hope your browser sandbox holds up if some malicious actor has poisoned the repository (which IIRC happened not too long ago to some popular library).
Re: (Score:3)
PyPI is a cesspool. They refuse to do anything about these malware packages because doing so would mean requiring validation of the uploaders and the code they submitted. That would put friction between the developers and their users. Which would slow adoption of new code. The fact that the language itself pushes such a garbage repo
Re: (Score:2)
Pypi does try to "do anything". They insist on provenance, trace-able ownership for their modules, and they do respond quickly to reports of abusive modules. But they do rely on the authors not to violate basic security practices in their code, and the results have been as predictable as those for CPAN and for JPackage and for rust and for golang.
Re: (Score:3)
This feels like modern programming - everything comes from a third party site, and coding your own code is frowned upon because you're not reusing code. Especially in web development where everyone just grabs the same broken libraries, exacerbating problems around the world when these have malware or exploits.
Re: (Score:2)
More like "modern messing it up". Nobody that downloads code without serious verification deserves a job as a coder. And it is not only malware, the other aspect is the most expensive aspect of software: maintenance. If you use code from the web that will not be well maintained in the future, you are writing your project to be thrown away.
Re: (Score:2)
I was wondering if this might cause some employers with excessive interview practices to self-select for hiring clowns while rejecting the good applicants that hesitate to download and run the 'test module'.
wait I'm confused (Score:2)
I thought the North Koreans were the ones taking the remote-work jobs. So wouldn't think mean they were just jacking themselves?
well, go get them (Score:2)
What do you propose? (Score:2)
That nice Mr Kim has nukes. Seoul would be Gaza level destruction given the amount of artillery the North has. And the minimal internet connections with North Korea make a serious cyber attack unlikely to achieve anything. But apart from those, an attack on North Korea is a great idea.
Is Lazarus a common theme (Score:2)
In non-religious North Korea? Who named it that?
Virtual enfironments are not virtual machines. (Score:5, Informative)
This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs."
Python "virtual environments" are not virtual machines (nor even anything like a chroot) and will not protect you against malware which pip installs.