- This all stinks of Lazarus:
https://en.wikipedia.org/wiki/Lazarus_Group
I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)
- Why assume it is Lazarus?
This sort of an attack is comically simple to pull off with a 12b obliterated LLM model and some basic scripts and proxies.
Security has to evolve, or the world will be cooked by script kiddies running email loops.
There's really nothing sophisticated about this these days, and it's only a short matter of time before it becomes commonplace.
- 100%. I can't find it now, but someone last month posted a similar story on HN. The threat actor had stolen someone's GitHub account and altered their otherwise legitimate looking repo. They'll expend a lot of effort in order to masquerade and trick you. TraderTraitor is another good DPRK example.
Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.
- [dead]
- Author here - if anyone has any contacts at Cloudflare to get the proxied domains (at least roadpay[.]cc) taken down, that would be great. I wasn't able to get an abuse report to stick. Ditto for the related LinkedIn profile and Twitter accounts.
The C2 IP (89.124.107.161) and malware-serving git repo (144.124.244.92) are both hosted on VDSINA in Russia, so not sure if there's anything to do there.
- If you're hosting malware today of course you want to host in Russia. Those are the only hosts that won't kick you off the internet or get kicked off the internet themselves for hosting malware. Check what happened to Tony Stark Solutions (or what was it called). Since they didn't police their customers harshly enough, the owners are in prison for aiding and abetting varied cyber-crimes.
- Business establishments don't like to ban troublemakers. Bad for business. (Unless it gets enough bad press, then it becomes good for business).
- I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.
- For sure, but I also expect real people who do cold-reaches like this to be using LLMs. I wouldn't have assumed it was indicative of malicious intent, just laziness.
- At this point it’s safe to assume most articles get the AI touch-up because the authors think that polish is worth it.
But what’s worse is the millionth “haw haw, it was made with AI” comment. Use your expertise to tell us if the article’s analysis is any good, not if the author used a “fancy narration” filter. “AI detectors” are a dime a dozen.
- Thats a quote from the attacker, not part of the article itself. I don't think they are suggesting the article was AI written.
- That’s literally what tptacek suggested. That the quote sounds unnatural, like a snippet from a sales catalog, the kind a person wouldn’t normally write.
I would have hoped that someone with years of security experience will bring some insight to the topic of the article, coincidentally also a cybersecurity one, instead of another “me too” of spotting LLM rewrites and tweaks.
- Dude, I'm not a vending machine for whatever takes you're hoping to see on the thread.
- I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!
There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.
Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.
[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/
[1] - https://bun.com/docs/pm/lifecycle
[2] - https://pnpm.io/supply-chain-security
[2] - https://
- This type of attack is going on for few years now. I had 2 in my credit.
Some details https://freebird.in/malicious-code-source-code-shared-via-jo...
- I had an email like that last week, where sender claimed to be from Singapore, but the company and the person were not searchable on the blue site and their interview scheduling link didn't match Singapore timezone, while the domain was registered through an Indian registrar. The email didn't sound right somehow.
I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.
I do have some npm packages under my name and they found me through github, so here is that.
- wow, this is actually a really impressive attack - a far cry from the obfuscated postinstall hooks seen a million times before.
the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?
- Crime surged during COVID. But, what type of crime?
https://www.tandfonline.com/doi/full/10.1080/2330443X.2022.2...
Hint: homicides and car theft. Burglary and larceny actually went down.
But, homicides surged prior to the start of the pandemic. If there is no correlation between the economic shutdown and homicides, then the crime surge was basically just car theft.
Car theft does not come from random homeless people. You don't steal a catalytic converter unless you know where you can sell it. You don't steal a car to make money, and then look around on where you can sell it. And, car theft, unless it is a car jacking, is free of violence. During COVID I think a lot of "noveau criminals" came out of the woodwork, people that were probably barely surviving with legitimate jobs that disappeared during the shutdown. I saw an article where police jailed someone that was just a father and son, caught stealing multiple cars. Those men had no prior record and that seemed very strange to me.
I'm saying all this because this attack could be by Lazarus, as another commenter pointed out. Or, could it be someone using an LLM to create a similar attack by prompting "Make me a post-install attack that looks like something the Lazarus group would do." Could LLM create a new class of local criminals? It is trivial now to setup a website that looks like a legitimate AI business (because AI businesses all have to sound ridiculous to be taken seriously). Creating the assets to make this attack work can be done with a $20/mo Claude account and a local LLM for the dirty bits. It would leave a trail for sure, but I imagine someone that has worked on tracing those trails could come up with an imaginative way to hide just the right things.
I've experienced the "best economy in the history of the US" for the last several years. To me, it looks like we have been in a recession for years, that was before the AI boom. When a massive group of people face drastic and sudden unemployment, which is what it looks like to an aging tech worker like me, I bet at least some of them would consider this. The tech sector has lost more jobs in the last 6 months than in 2025. And, that group has zero North Korean nationals. It might be someone living in a suburb in Phoenix, Arizona that can't pay their mortgage anymore.
Who knows if this attack was seasoned professionals. But, when we talk about AI creating or destroying jobs, couldn't AI create a bunch of "jobs" which are stealing banking credentials on behalf of 55 year olds, no longer able to find jobs in the tech industry?
If nothing else, this feels like it would make a good contemporary sci-fi story.
- You definitely make a good point there. The job market is becoming impossible to navigate, and people will become desperate. Bills need to be paid and families need to be fed, if someone loses a job in tech, they could be easily tempted to 'hacking' others nowadays. Its becoming trivially easy to do so thanks the things you mentioned, and if you target others in other countries not allied with the US you could even possibly get away with never getting punished even if caught.
- [dead]
- [flagged]
- I found them refreshing and hacker vibes. I understand that's not welcome on HN though
- AFAIK it's an autistic person thing (correlating with hackers (for obvious reasons)) to go on little thought tangents (like this one) all the time and parentheses are how you express that in text (much easier than writing prose (effectively delineates the tangent and allows the reader to skip over it)) (yes I'm autistic myself) (yes I'm deliberately exaggerating the effect)
- I'm quite guilty of it and often find myself pushing parenthetical parts into the main text to avoid things getting too badly nested.
- Blame post modernism.
- (Or are we?)
