Attacks deploying a malicious Python backdoor via fraudulent NPM packages spoofing as job interviews have been targeted at software developers by suspected North Korea-linked threat actors as part of the ongoing DEV#POPPER social engineering campaign, according to The Hacker News.
Threat actors impersonating employers have been delivering a GitHub-hosted ZIP archive purportedly a part of a job interview, which contains the information-stealing JavaScript file dubbed "BeaverTail" that also enables the installation of the InvisibleFerret Python backdoor, a report from Securonix showed. Such a script also features data exfiltration, remote command execution, and clipboard and keystroke logging capabilities.
"When it comes to attacks which originate through social engineering, it's critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews. The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state," said researchers.
