I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)
krisbolton 24 minutes ago [-]
100%. I can't find it now, but someone last month posted a similar story on HN. The threat actor had stolen someone's GitHub account and altered their otherwise legitimate looking repo. They'll expend a lot of effort in order to masquerade and trick you. TraderTraitor is another good DPRK example.
Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.
ThreatSystems 5 hours ago [-]
I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!
There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.
Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.
I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.
close04 1 hours ago [-]
At this point it’s safe to assume most articles get the AI touch-up because the authors think that polish is worth it.
But what’s worse is the millionth “haw haw, it was made with AI” comment. Use your expertise to tell us if the article’s analysis is any good, not if the author used a “fancy narration” filter. “AI detectors” are a dime a dozen.
isaachh 57 minutes ago [-]
Thats a quote from the attacker, not part of the article itself. I don't think they are suggesting the article was AI written.
Muromec 4 hours ago [-]
I had an email like that last week, where sender claimed to be from Singapore, but the company and the person were not searchable on the blue site and their interview scheduling link didn't match Singapore timezone, while the domain was registered through an Indian registrar. The email didn't sound right somehow.
I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.
I do have some npm packages under my name and they found me through github, so here is that.
bobkb 6 hours ago [-]
This type of attack is going on for few years now. I had 2 in my credit.
https://en.wikipedia.org/wiki/Lazarus_Group
I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)
Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.
There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.
Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.
[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/
[1] - https://bun.com/docs/pm/lifecycle
[2] - https://pnpm.io/supply-chain-security
[2] - https://
But what’s worse is the millionth “haw haw, it was made with AI” comment. Use your expertise to tell us if the article’s analysis is any good, not if the author used a “fancy narration” filter. “AI detectors” are a dime a dozen.
I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.
I do have some npm packages under my name and they found me through github, so here is that.
Some details https://freebird.in/malicious-code-source-code-shared-via-jo...
the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?