North Korean hackers target Python devs with malware disguised as coding tests — hack has been underway for a year
Fake Python job opportunities used to attack programmers
Few things are more strenuous than finding new employment— but even worse is when a potential new employer turns out to be fake and is instead using an apparent job opportunity as a way to infect you with malware. Per a report from Reversing Labs, a leading cybersecurity firm, this has been happening to Python developers courtesy of North Korean hackers for about a year, and is likely to continue.
These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving "coding tests" that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs.
The motivation behind these attacks are unknown, but since Lazarus Group is a team of state-sponsored hackers, there's a fair chance that North Korea is simply doing what it can to be more of an international cyber security threat. The victims from around the FOSS and Python development community aren't government employees, but Python is being used more across multiple industries.
The state-sponsored Lazarus Group likely has no greater objectives beyond simply hijacking machines or stealing money, but its attacks on innocent, job-hunting programmers could point toward a desire to sabotage the cyber workforce outside of North Korea as well. Reversing Labs also speaks of these attacks targeting developers in "sensitive organizations", not just those who are looking for jobs.
Besides detailing how these attacks work, the original report from Reversing Labs warns that these attacks from Lazarus Group are part of an "active campaign". In fact, the same day one of the impacted users reached out to ReversingLabs, another exploitation tool popped up on GitHub. While the exploit in question was taken down, the timing of this seems to indicate that the user in contact with Reversing Labs is still compromised by Lazarus Group and that posting was a response to having seen the victim's communications about the issue.
In today's era, cybersecurity isn't just a simple matter of not going to suspicious websites— major governments around the world nearly all have state-sponsored hackers in their employ. As long as those hackers are able to collect money or information for their government, they will do so by taking advantage of any possible cybersecurity gap— including, most unfortunately, false job opportunities.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.