https://en.wikipedia.org/wiki/Lazarus_Group
I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)
This sort of an attack is comically simple to pull off with a 12b obliterated LLM model and some basic scripts and proxies.
Security has to evolve, or the world will be cooked by script kiddies running email loops.
There's really nothing sophisticated about this these days, and it's only a short matter of time before it becomes commonplace.
Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.
The C2 IP (89.124.107.161) and malware-serving git repo (144.124.244.92) are both hosted on VDSINA in Russia, so not sure if there's anything to do there.
There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.
Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.
[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/
[1] - https://bun.com/docs/pm/lifecycle
[2] - https://pnpm.io/supply-chain-security
[2] - https://
Some details https://freebird.in/malicious-code-source-code-shared-via-jo...
I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.
I do have some npm packages under my name and they found me through github, so here is that.
the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?
https://www.tandfonline.com/doi/full/10.1080/2330443X.2022.2...
Hint: homicides and car theft. Burglary and larceny actually went down.
But, homicides surged prior to the start of the pandemic. If there is no correlation between the economic shutdown and homicides, then the crime surge was basically just car theft.
Car theft does not come from random homeless people. You don't steal a catalytic converter unless you know where you can sell it. You don't steal a car to make money, and then look around on where you can sell it. And, car theft, unless it is a car jacking, is free of violence. During COVID I think a lot of "noveau criminals" came out of the woodwork, people that were probably barely surviving with legitimate jobs that disappeared during the shutdown. I saw an article where police jailed someone that was just a father and son, caught stealing multiple cars. Those men had no prior record and that seemed very strange to me.
I'm saying all this because this attack could be by Lazarus, as another commenter pointed out. Or, could it be someone using an LLM to create a similar attack by prompting "Make me a post-install attack that looks like something the Lazarus group would do." Could LLM create a new class of local criminals? It is trivial now to setup a website that looks like a legitimate AI business (because AI businesses all have to sound ridiculous to be taken seriously). Creating the assets to make this attack work can be done with a $20/mo Claude account and a local LLM for the dirty bits. It would leave a trail for sure, but I imagine someone that has worked on tracing those trails could come up with an imaginative way to hide just the right things.
I've experienced the "best economy in the history of the US" for the last several years. To me, it looks like we have been in a recession for years, that was before the AI boom. When a massive group of people face drastic and sudden unemployment, which is what it looks like to an aging tech worker like me, I bet at least some of them would consider this. The tech sector has lost more jobs in the last 6 months than in 2025. And, that group has zero North Korean nationals. It might be someone living in a suburb in Phoenix, Arizona that can't pay their mortgage anymore.
Who knows if this attack was seasoned professionals. But, when we talk about AI creating or destroying jobs, couldn't AI create a bunch of "jobs" which are stealing banking credentials on behalf of 55 year olds, no longer able to find jobs in the tech industry?
If nothing else, this feels like it would make a good contemporary sci-fi story.