I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)
nullbio 1 days ago [-]
Why assume it is Lazarus?
This sort of an attack is comically simple to pull off with a 12b obliterated LLM model and some basic scripts and proxies.
Security has to evolve, or the world will be cooked by script kiddies running email loops.
There's really nothing sophisticated about this these days, and it's only a short matter of time before it becomes commonplace.
krisbolton 4 hours ago [-]
Fair challenge, you're right that there's nothing sophisticated about this type of activity, but if you look at Lazarus activity this is their ttp. I mentioned TraderTraitor, go look them up (that sounds terse, it's not meant to be). They stole a couple of hundred million dollars in the past 6 months. They're not particularly sophisticated in terms of ttp, but because they're a nation-state actor they it's an entirely different threat model than script kiddie.
Attribution is hard, but if we're talking about defending, there's little cost to assuming Lazarus-style threat actor.
krisbolton 1 days ago [-]
100%. I can't find it now, but someone last month posted a similar story on HN. The threat actor had stolen someone's GitHub account and altered their otherwise legitimate looking repo. They'll expend a lot of effort in order to masquerade and trick you. TraderTraitor is another good DPRK example.
Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.
thebangster 1 days ago [-]
[dead]
tptacek 2 days ago [-]
I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.
insanitybit 1 days ago [-]
For sure, but I also expect real people who do cold-reaches like this to be using LLMs. I wouldn't have assumed it was indicative of malicious intent, just laziness.
close04 1 days ago [-]
[flagged]
isaachh 1 days ago [-]
Thats a quote from the attacker, not part of the article itself. I don't think they are suggesting the article was AI written.
close04 1 days ago [-]
[flagged]
tptacek 1 days ago [-]
Dude, I'm not a vending machine for whatever takes you're hoping to see on the thread.
mmastrac 1 days ago [-]
Author here - if anyone has any contacts at Cloudflare to get the proxied domains (at least roadpay[.]cc) taken down, that would be great. I wasn't able to get an abuse report to stick. Ditto for the related LinkedIn profile and Twitter accounts.
The C2 IP (89.124.107.161) and malware-serving git repo (144.124.244.92) are both hosted on VDSINA in Russia, so not sure if there's anything to do there.
microgpt 1 days ago [-]
If you're hosting malware today of course you want to host in Russia. Those are the only hosts that won't kick you off the internet or get kicked off the internet themselves for hosting malware. Check what happened to Tony Stark Solutions (or what was it called). Since they didn't police their customers harshly enough, the owners are in prison for aiding and abetting varied cyber-crimes.
crossroadsguy 1 days ago [-]
Business establishments don't like to ban troublemakers. Bad for business. (Unless it gets enough bad press, then it becomes good for business).
ThreatSystems 2 days ago [-]
I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!
There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.
Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.
I had an email like that last week, where sender claimed to be from Singapore, but the company and the person were not searchable on the blue site and their interview scheduling link didn't match Singapore timezone, while the domain was registered through an Indian registrar. The email didn't sound right somehow.
I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.
I do have some npm packages under my name and they found me through github, so here is that.
timfsu 2 days ago [-]
Wow, this is pretty scary. LLMs have made phishing attempts look so much more legit, and the damage they can do so much greater.
1 days ago [-]
xrd 1 days ago [-]
Crime surged during COVID. But, what type of crime?
Hint: homicides and car theft. Burglary and larceny actually went down.
But, homicides surged prior to the start of the pandemic. If there is no correlation between the economic shutdown and homicides, then the crime surge was basically just car theft.
Car theft does not come from random homeless people. You don't steal a catalytic converter unless you know where you can sell it. You don't steal a car to make money, and then look around on where you can sell it. And, car theft, unless it is a car jacking, is free of violence. During COVID I think a lot of "noveau criminals" came out of the woodwork, people that were probably barely surviving with legitimate jobs that disappeared during the shutdown. I saw an article where police jailed someone that was just a father and son, caught stealing multiple cars. Those men had no prior record and that seemed very strange to me.
I'm saying all this because this attack could be by Lazarus, as another commenter pointed out. Or, could it be someone using an LLM to create a similar attack by prompting "Make me a post-install attack that looks like something the Lazarus group would do." Could LLM create a new class of local criminals? It is trivial now to setup a website that looks like a legitimate AI business (because AI businesses all have to sound ridiculous to be taken seriously). Creating the assets to make this attack work can be done with a $20/mo Claude account and a local LLM for the dirty bits. It would leave a trail for sure, but I imagine someone that has worked on tracing those trails could come up with an imaginative way to hide just the right things.
I've experienced the "best economy in the history of the US" for the last several years. To me, it looks like we have been in a recession for years, that was before the AI boom. When a massive group of people face drastic and sudden unemployment, which is what it looks like to an aging tech worker like me, I bet at least some of them would consider this. The tech sector has lost more jobs in the last 6 months than in 2025. And, that group has zero North Korean nationals. It might be someone living in a suburb in Phoenix, Arizona that can't pay their mortgage anymore.
Who knows if this attack was seasoned professionals. But, when we talk about AI creating or destroying jobs, couldn't AI create a bunch of "jobs" which are stealing banking credentials on behalf of 55 year olds, no longer able to find jobs in the tech industry?
If nothing else, this feels like it would make a good contemporary sci-fi story.
microgpt 1 days ago [-]
We aren't in a recession while the stock market is up, even though that has nothing do with the state of the economy
BobbyTables2 13 hours ago [-]
True, but the past 6-7 years make me seriously question whether it’s real growth or inflation.
For >10 years prior I had a fairly flat salary at two separate employers. Yearly raise of about 2%.
Now salary is up about 50% from almost 10 years ago and home value almost doubled during the same timeframe.
I know I’m not that lucky in life… I don’t live in a HCOL area. I don’t work in an industry that is on fire. Nobody actually gets huge raises for performance.
Sure, the stock market has seen enormous gains over the past 10-15 years. Even the major indices have maintained gains that would traditionally be unimaginable.
That can’t be real growth - it’s the recipe for inflation.
If half the country owned $1000 of NVIDIA 20 years ago, would we be richer? No, inflation would follow and the other half would be poorer…
microgpt 6 hours ago [-]
Oh it's all inflation. Don't pay attention to the inflation numbers from the government - pay attention to how much essentials are up, and assets with similar fundamentals.
Inflation has been focused in assets for... some reason, and assets aren't counted in CPI, giving the government a false signal that it was okay to print more money for a while now.
Have a look at every other stock market, too. They don't usually go up forever like this. They usually stay steady or go up quite slowly.
xrd 1 days ago [-]
No disagreement there, good point.
robotnikman 1 days ago [-]
You definitely make a good point there. The job market is becoming impossible to navigate, and people will become desperate. Bills need to be paid and families need to be fed, if someone loses a job in tech, they could be easily tempted to 'hacking' others nowadays. Its becoming trivially easy to do so thanks the things you mentioned, and if you target others in other countries not allied with the US you could even possibly get away with never getting punished even if caught.
bstsb 1 days ago [-]
wow, this is actually a really impressive attack - a far cry from the obfuscated postinstall hooks seen a million times before.
the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?
negergreger 1 days ago [-]
[dead]
nesarkvechnep 2 days ago [-]
[flagged]
OsrsNeedsf2P 1 days ago [-]
I found them refreshing and hacker vibes. I understand that's not welcome on HN though
microgpt 1 days ago [-]
AFAIK it's an autistic person thing (correlating with hackers (for obvious reasons)) to go on little thought tangents (like this one) all the time and parentheses are how you express that in text (much easier than writing prose (effectively delineates the tangent and allows the reader to skip over it)) (yes I'm autistic myself) (yes I'm deliberately exaggerating the effect)
rcxdude 1 days ago [-]
I'm quite guilty of it and often find myself pushing parenthetical parts into the main text to avoid things getting too badly nested.
ggm 2 days ago [-]
Blame post modernism.
LearnYouALisp 1 days ago [-]
(Or are we?)
ggm 18 hours ago [-]
Or (are) we to blame indeed.
Rendered at 18:32:32 GMT+0000 (Coordinated Universal Time) with Vercel.
https://en.wikipedia.org/wiki/Lazarus_Group
I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)
This sort of an attack is comically simple to pull off with a 12b obliterated LLM model and some basic scripts and proxies.
Security has to evolve, or the world will be cooked by script kiddies running email loops.
There's really nothing sophisticated about this these days, and it's only a short matter of time before it becomes commonplace.
Attribution is hard, but if we're talking about defending, there's little cost to assuming Lazarus-style threat actor.
Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.
The C2 IP (89.124.107.161) and malware-serving git repo (144.124.244.92) are both hosted on VDSINA in Russia, so not sure if there's anything to do there.
There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.
Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.
[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/
[1] - https://bun.com/docs/pm/lifecycle
[2] - https://pnpm.io/supply-chain-security
[2] - https://
Some details https://freebird.in/malicious-code-source-code-shared-via-jo...
I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.
I do have some npm packages under my name and they found me through github, so here is that.
https://www.tandfonline.com/doi/full/10.1080/2330443X.2022.2...
Hint: homicides and car theft. Burglary and larceny actually went down.
But, homicides surged prior to the start of the pandemic. If there is no correlation between the economic shutdown and homicides, then the crime surge was basically just car theft.
Car theft does not come from random homeless people. You don't steal a catalytic converter unless you know where you can sell it. You don't steal a car to make money, and then look around on where you can sell it. And, car theft, unless it is a car jacking, is free of violence. During COVID I think a lot of "noveau criminals" came out of the woodwork, people that were probably barely surviving with legitimate jobs that disappeared during the shutdown. I saw an article where police jailed someone that was just a father and son, caught stealing multiple cars. Those men had no prior record and that seemed very strange to me.
I'm saying all this because this attack could be by Lazarus, as another commenter pointed out. Or, could it be someone using an LLM to create a similar attack by prompting "Make me a post-install attack that looks like something the Lazarus group would do." Could LLM create a new class of local criminals? It is trivial now to setup a website that looks like a legitimate AI business (because AI businesses all have to sound ridiculous to be taken seriously). Creating the assets to make this attack work can be done with a $20/mo Claude account and a local LLM for the dirty bits. It would leave a trail for sure, but I imagine someone that has worked on tracing those trails could come up with an imaginative way to hide just the right things.
I've experienced the "best economy in the history of the US" for the last several years. To me, it looks like we have been in a recession for years, that was before the AI boom. When a massive group of people face drastic and sudden unemployment, which is what it looks like to an aging tech worker like me, I bet at least some of them would consider this. The tech sector has lost more jobs in the last 6 months than in 2025. And, that group has zero North Korean nationals. It might be someone living in a suburb in Phoenix, Arizona that can't pay their mortgage anymore.
Who knows if this attack was seasoned professionals. But, when we talk about AI creating or destroying jobs, couldn't AI create a bunch of "jobs" which are stealing banking credentials on behalf of 55 year olds, no longer able to find jobs in the tech industry?
If nothing else, this feels like it would make a good contemporary sci-fi story.
For >10 years prior I had a fairly flat salary at two separate employers. Yearly raise of about 2%.
Now salary is up about 50% from almost 10 years ago and home value almost doubled during the same timeframe.
I know I’m not that lucky in life… I don’t live in a HCOL area. I don’t work in an industry that is on fire. Nobody actually gets huge raises for performance.
Sure, the stock market has seen enormous gains over the past 10-15 years. Even the major indices have maintained gains that would traditionally be unimaginable.
That can’t be real growth - it’s the recipe for inflation.
If half the country owned $1000 of NVIDIA 20 years ago, would we be richer? No, inflation would follow and the other half would be poorer…
Inflation has been focused in assets for... some reason, and assets aren't counted in CPI, giving the government a false signal that it was okay to print more money for a while now.
Have a look at every other stock market, too. They don't usually go up forever like this. They usually stay steady or go up quite slowly.
the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?