Software developers targeted by malware hidden in Python packages

News
By
published

Lazarus is back with more fake job scams

The Python banner logo on a computer screen running a code editor.
(Image credit: Shutterstock / Trismegist san)

Python developers working on Mac devices are being targeted by North Korean hackers once again experts have warned.

A report from cybersecurity researchers Unit 42 has claimed the attacks are, at least to some extent, part of the so-called Operation Dream Job, run by Lazarus Group, an infamous hacking collective on North Korea’s payroll. It revolves around creating fake job ads and luring software developers to apply. During the hiring process, the crooks would trick the devs into downloading and running malicious packages, thus granting the attackers access to important resources.

In this instance, the criminals were observed uploading weaponized Python packages to PyPI, one of the world’s most popular Python package repositories.

PondRAT

So far, the researchers identified four packages, which were subsequently reported and removed from the platform:

real-ids (893 downloads)
coloredtxt (381 downloads)
beautifultext (736 downloads)
minisound (416 downloads)

These packages were allegedly holding a piece of malware called PondRAT. This remote access trojan is a stripped-down version of POOLRAT (also known as SIMPLESEA), a known macOS backdoor that Lazarus was observed deploying in the past.

PondRAT can’t do all the things POOLRAT can, but it can still upload and download files, run arbitrary commands, or even stop working for a while.

"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said. Gleaming Pisces, Unit 42 claims, is a sub-group of Lazarus.

"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."

For months now, Lazarus has been creating fake job ads, attempting to compromise developers working in high-profile organizations. It was also seen trying to get hired by these firms, too.

Via The Hacker News

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean Lazarus hackers are targeting nuclear workers
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean hackers are targeting LinkedIn jobseekers with new malware - here's how to stay safe
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
Shot of footballer Jamal Musiala playing for Bayern Munich

Bayern Munich vs Bayer Leverkusen live stream: How to watch the UEFA Champions League match online
See more latest
Most Popular
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Maserati MC20 Autonomous
This AI-driven Maserati just hit 197.7mph without a human behind the wheel
AI data center
Is Microsoft hesitating on AI? Days after CEO said it would be upping capacity, analyst claims tech giant has actually cancelled data center leases
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop