Fake Job Recruiters Hid Malware In Developer Coding Challenges (bleepingcomputer.com)
(Sunday February 15, 2026 @11:34AM (EditorDavid)
from the world's-worst-boss dept.)
- Reference: 0180794778
- News link: https://it.slashdot.org/story/26/02/15/062259/fake-job-recruiters-hid-malware-in-developer-coding-challenges
- Source link: https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/
"A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-related tasks," [1]reports the Register .
> [2]Researchers at software supply-chain security company ReversingLabs say that the threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project. However, the attacker's purpose is to make the applicant run the code... [The campaign involves 192 malicious packages published in the npm and PyPi registries. The packages download a remote access trojan that can exfiltrate files, drop additional payloads, or execute arbitrary commands sent from a command-and-control server.]
>
> In one case highlighted in the ReversingLabs report, a package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. Shortly after, the threat actor removed the package, marking it as deprecated, likely to conceal the activity... The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim's browser, a clear indication of its money-stealing goals...
>
> ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets.
The campaign has been ongoing since at least May 2025...
[1] https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/
[2] https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs
> [2]Researchers at software supply-chain security company ReversingLabs say that the threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project. However, the attacker's purpose is to make the applicant run the code... [The campaign involves 192 malicious packages published in the npm and PyPi registries. The packages download a remote access trojan that can exfiltrate files, drop additional payloads, or execute arbitrary commands sent from a command-and-control server.]
>
> In one case highlighted in the ReversingLabs report, a package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. Shortly after, the threat actor removed the package, marking it as deprecated, likely to conceal the activity... The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim's browser, a clear indication of its money-stealing goals...
>
> ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets.
The campaign has been ongoing since at least May 2025...
[1] https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/
[2] https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs
Desperation (Score:3)
by drinkypoo ( 153816 )
It's tempting to declare that these are failing results from people who shouldn't be employed in these industries anyway due to their gullibility, and it's not entirely wrong, but it's also noteworthy that desperation increases vulnerability. The [1]jobs report [kvia.com] says there was net job creation, but [2]where are the jobs? [bbc.com] Is the claim of job creation [3]as false as the expectations of 2025? [nepm.org]
[1] https://kvia.com/news/business-technology/cnn-business-consumer/2026/02/11/what-to-expect-from-todays-jobs-report/
[2] https://www.bbc.com/news/articles/c3ewje4xk3yo
[3] https://www.nepm.org/2026-02-12/revised-labor-department-figures-show-hiring-in-2025-was-lower-than-reported
Can a cesspool of the vanities become... (Score:2)
Can a cesspool of the vanities become a black hole? Just asking for a friend (who hasn't retired yet).
The vanity in this particular case is thinking you are so valuable that the phishers would want to hire you. But I kind of like the recursive nature of breaching you so they can go after your references and contacts, too.
Re: (Score:2)
Did I FP? I confess that possibility was a factor in not writing at my usual length, but now I'm thinking of two examples for your consideration:
(1) LinkedIn as the home of fake recruiters harvesting personal information.
(2) YouTube as the source of the best AI-powered phishing scam I've seen yet. My theory of the case is that they went after people who had commented on a famous author's videos on YouTube. The email seemed to come from the author and seemed to be related to one of the projects he'd describe