Fake Job Recruiters Hid Malware In Developer Coding Challenges
Source: Slashdot
Overview
“A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency‑related tasks,” reports the Register.
Researchers at software supply‑chain security company ReversingLabs say the threat actor creates fake companies in the blockchain and crypto‑trading sectors and publishes job offerings on platforms such as LinkedIn, Facebook, and Reddit. Developers applying for the job are asked to demonstrate their skills by running, debugging, and improving a given project. The attacker’s goal is to make the applicant execute the malicious code.
Attack Mechanics
- The campaign involves 192 malicious packages published in the npm and PyPI registries.
- The packages download a remote‑access trojan (RAT) that can:
- exfiltrate files,
- drop additional payloads,
- execute arbitrary commands sent from a command‑and‑control server.
Case Study: bigmathutils
In the ReversingLabs report, a package named bigmathutils had ~10,000 downloads and was benign until version 1.1.0, which introduced the malicious payload. Shortly after, the threat actor deprecated and removed the package to conceal the activity.
The RAT checks whether the MetaMask cryptocurrency extension is installed in the victim’s browser, indicating a money‑stealing motive.
Variants and Coverage
ReversingLabs identified multiple variants written in:
- JavaScript
- Python
- Visual Basic Script (VBS)
This breadth shows an intention to target a wide range of developers.
Timeline
The campaign has been active since at least May 2025.
References
- The Register article (quoted above)
- ReversingLabs report (details on the malicious packages)
- Original story on Slashdot