alt Hacker NewsAnatomy of a Failed (Nation-State?) Attack
Comments
I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!
There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.
Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.
[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/
[1] - https://bun.com/docs/pm/lifecycle
[2] - https://pnpm.io/supply-chain-security
[2] - https://
I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.
I had an email like that last week, where sender claimed to be from Singapore, but the company and the person were not searchable on the blue site and their interview scheduling link didn't match Singapore timezone, while the domain was registered through an Indian registrar. The email didn't sound right somehow.
I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.
I do have some npm packages under my name and they found me through github, so here is that.
This type of attack is going on for few years now. I had 2 in my credit.
Some details https://freebird.in/malicious-code-source-code-shared-via-jo...
wow, this is actually a really impressive attack - a far cry from the obfuscated postinstall hooks seen a million times before.
the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?
Wow, this is pretty scary. LLMs have made phishing attempts look so much more legit, and the damage they can do so much greater.
This all stinks of Lazarus:
https://en.wikipedia.org/wiki/Lazarus_Group
I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)