Normal view
'OpenAI wil ChatGPT upgraden naar superapp met tools die meer geld opleveren'
'3d-printermaker Bambu Lab schendt opensourcelicentie'
OpenAI maakt Codex op smartphone beschikbaar via ChatGPT-app
Nederlands techbedrijf Bird ontslaat 20 procent van personeel vanwege AI
Nederlandse overheid zet zelfgehost alternatief voor GitHub op poten
Team achter offline meshchatnetwerk Meshcore valt uit elkaar vanwege vibecoding
Ontwikkelaars moeten opletten: GitHub CLI verzamelt nu telemetrie met opt-out
Anthropic erkent dat Claude vershittificeerde en wijt dat aan bugs
Microsoft gaat Mythos inzetten om kwetsbaarheden te vinden
-
Kaspersky official blog

- Targeting developers: real-world cases, tactics, and defense strategies | Kaspersky official blog
Targeting developers: real-world cases, tactics, and defense strategies | Kaspersky official blog
Lately, hackers have been turning up the heat on software developers. On the surface, this might seem like a puzzling move β why go after someone whoβs literally paid to understand tech when there are plenty of less-savvy targets in the office? As it turns out, compromising a developerβs machine offers a much bigger payoff for an attacker.
Why developers are such high-value targets
For starters, compromising a coderβs workstation can give attackers a direct line to source code, credentials, authentication tokens, or even the entire development infrastructure. If the company builds software for others, a hijacked dev environment allows attackers to launch a massive supply chain attack, using the companyβs products to infect its customer base. If the developer works on internal services, their machine becomes a perfect beachhead for lateral movement, allowing hackers to spread deeper into the corporate network.
Even when attackers are purely chasing cryptocurrency (and letβs face it, tech pros are much more likely to hold crypto than the average person), the malware used in these hits doesnβt just swap out wallet addresses; it vacuums up every scrap of valuable data it can find β especially those login credentials and session tokens. Even if the original attackers donβt care about corporate access, they can easily flip those credentials to initial access brokers or more specialized threat actors on the dark web.
Why developers are sitting ducks
In practice, developers arenβt nearly as good at understanding cyberthreats and spotting social engineering as they think they are. This misconception is a big reason why they often fall prey to cybercriminals. Professional expertise can often create a false sense of digital invincibility. This often leads technical professionals to cut corners on security protocols, bypass restrictions set by the security team, or even disable security software on their corporate machines when it gets in the way of their workflow. That mindset, combined with a job that requires them to constantly download and run third-party code, makes them sitting ducks for cyberattackers.
Attack vectors targeting developers
Once an attacker sets their sights on a software engineer, their go-to move is usually finding a way to slip malicious code onto the machine. But thatβs just the tip of the iceberg β hackers are also masters at rebranding classic, battle-tested tactics.
Compromising open-source packages
One of the most common ways to hit a developer is by poisoning open-source software. Weβve seen a flood of these attacks over the past year. A prime example hit in March 2026, when attackers managed to inject malicious code into LiteLLM, a popular Python library hosted in the PyPI repository. Because this library acts as a versatile gateway for connecting various AI agents, itβs baked into a massive number of projects. These trojanized versions of LiteLLM delivered scripts designed to hunt for credentials across the victimβs system. Once stolen, that data serves as a skeleton key for attackers to infiltrate any company that was unlucky enough to download the infected packages.
Malware hidden in technical assignments
Every so often, attackers post enticing job openings for developers, complete with take-home test assignments that are laced with malicious code. For instance, in late February 2026, malicious actors pushed out web application projects built on Next.js via several malicious repositories, framing them as coding tests. Once a developer cloned the repo and fired up the project locally, a script would trigger automatically to download and install a backdoor. The attackers gained full remote access to the developerβs machine.
Fake development tools
Recently, our experts described an attack where hackers used paid search-engine ads to push malware disguised as popular AI tools. One of the primary baits was Claude Code, an AI coding assistant. This campaign specifically targeted developers looking for a way to use AI-assistants under the radar, without getting the green light from their companyβs infosec team. The ads directed users to a malicious site that perfectly mimicked the official Claude Code documentation. It even included βinstallation instructionsβ, which prompted the user to copy and run a command. In reality, running that command installed an infostealer that harvested credentials and shuttled them off to a remote server.
Social engineering tactics
That said, attackers often stick to the basics when trying to plant malware. A recent investigation into a compromised npm package β Axios β revealed that hackers had gained access to a maintainerβs system using a shockingly simple βoutdated softwareβ ruse. The attackers reached out to the Axios repository maintainer while posing as the founder of a well-known company. After some back-and-forth, they invited him to a video interview. When the developer tried to join the meeting on what looked like Microsoft Teams, he hit a fake notification claiming his software was out of date and needed an immediate update. That βupdateβ was actually a Remote Access Trojan, giving the attackers access to his machine.
Niche spam
Sometimes, even a blast of fake notifications does the trick, especially when itβs tailored to the audience. For example, just recently, attackers were caught posting fake alerts in the Discussions tabs of various GitHub projects, claiming there was a critical vulnerability in Visual Studio Code that required an immediate update. Because developers subscribed to those discussions received these alerts directly via email, the notifications looked like legitimate security warnings. Of course, the link in the message didnβt lead to an official patch; it pointed to a βfixedβ version of VS Code that was actually laced with malware.
How to safeguard an organization
To minimize the risk of a breach, companies should lean into the following best practices:
- Make security a native part of your workflow. Use specialized solutions to vet your images, packages, dependencies, and components.
- Use threat intelligence feeds specifically focused on open-source components to check the packages used in software development.
- Make sure security awareness training covers everyone β including developers. Leverage specialized solutions like Kaspersky Automated Security Awareness Platform.
- Make sure developers are aware of the latest attack patterns β you can keep them in the loop by following the Development tag right here on this



