โŒ

Reading view

Targeting developers: real-world cases, tactics, and defense strategies | Kaspersky official blog

Lately, hackers have been turning up the heat on software developers. On the surface, this might seem like a puzzling move โ€” why go after someone whoโ€™s literally paid to understand tech when there are plenty of less-savvy targets in the office? As it turns out, compromising a developerโ€™s machine offers a much bigger payoff for an attacker.

Why developers are such high-value targets

For starters, compromising a coderโ€™s workstation can give attackers a direct line to source code, credentials, authentication tokens, or even the entire development infrastructure. If the company builds software for others, a hijacked dev environment allows attackers to launch a massive supply chain attack, using the companyโ€™s products to infect its customer base. If the developer works on internal services, their machine becomes a perfect beachhead for lateral movement, allowing hackers to spread deeper into the corporate network.

Even when attackers are purely chasing cryptocurrency (and letโ€™s face it, tech pros are much more likely to hold crypto than the average person), the malware used in these hits doesnโ€™t just swap out wallet addresses; it vacuums up every scrap of valuable data it can find โ€” especially those login credentials and session tokens. Even if the original attackers donโ€™t care about corporate access, they can easily flip those credentials to initial access brokers or more specialized threat actors on the dark web.

Why developers are sitting ducks

In practice, developers arenโ€™t nearly as good at understanding cyberthreats and spotting social engineering as they think they are. This misconception is a big reason why they often fall prey to cybercriminals. Professional expertise can often create a false sense of digital invincibility. This often leads technical professionals to cut corners on security protocols, bypass restrictions set by the security team, or even disable security software on their corporate machines when it gets in the way of their workflow. That mindset, combined with a job that requires them to constantly download and run third-party code, makes them sitting ducks for cyberattackers.

Attack vectors targeting developers

Once an attacker sets their sights on a software engineer, their go-to move is usually finding a way to slip malicious code onto the machine. But thatโ€™s just the tip of the iceberg โ€” hackers are also masters at rebranding classic, battle-tested tactics.

Compromising open-source packages

One of the most common ways to hit a developer is by poisoning open-source software. Weโ€™ve seen a flood of these attacks over the past year. A prime example hit in March 2026, when attackers managed to inject malicious code into LiteLLM, a popular Python library hosted in the PyPI repository. Because this library acts as a versatile gateway for connecting various AI agents, itโ€™s baked into a massive number of projects. These trojanized versions of LiteLLM delivered scripts designed to hunt for credentials across the victimโ€™s system. Once stolen, that data serves as a skeleton key for attackers to infiltrate any company that was unlucky enough to download the infected packages.

Malware hidden in technical assignments

Every so often, attackers post enticing job openings for developers, complete with take-home test assignments that are laced with malicious code. For instance, in late February 2026, malicious actors pushed out web application projects built on Next.js via several malicious repositories, framing them as coding tests. Once a developer cloned the repo and fired up the project locally, a script would trigger automatically to download and install a backdoor. The attackers gained full remote access to the developerโ€™s machine.

Fake development tools

Recently, our experts described an attack where hackers used paid search-engine ads to push malware disguised as popular AI tools. One of the primary baits was Claude Code, an AI coding assistant. This campaign specifically targeted developers looking for a way to use AI-assistants under the radar, without getting the green light from their companyโ€™s infosec team. The ads directed users to a malicious site that perfectly mimicked the official Claude Code documentation. It even included โ€œinstallation instructionsโ€, which prompted the user to copy and run a command. In reality, running that command installed an infostealer that harvested credentials and shuttled them off to a remote server.

Social engineering tactics

That said, attackers often stick to the basics when trying to plant malware. A recent investigation into a compromised npm package โ€” Axios โ€” revealed that hackers had gained access to a maintainerโ€™s system using a shockingly simple โ€œoutdated softwareโ€ ruse. The attackers reached out to the Axios repository maintainer while posing as the founder of a well-known company. After some back-and-forth, they invited him to a video interview. When the developer tried to join the meeting on what looked like Microsoft Teams, he hit a fake notification claiming his software was out of date and needed an immediate update. That โ€œupdateโ€ was actually a Remote Access Trojan, giving the attackers access to his machine.

Niche spam

Sometimes, even a blast of fake notifications does the trick, especially when itโ€™s tailored to the audience. For example, just recently, attackers were caught posting fake alerts in the Discussions tabs of various GitHub projects, claiming there was a critical vulnerability in Visual Studio Code that required an immediate update. Because developers subscribed to those discussions received these alerts directly via email, the notifications looked like legitimate security warnings. Of course, the link in the message didnโ€™t lead to an official patch; it pointed to a โ€œfixedโ€ version of VS Code that was actually laced with malware.

How to safeguard an organization

To minimize the risk of a breach, companies should lean into the following best practices:

  •  

IndonesianFoods Spam Campaign: 89 000 junk packages in npm

What do the words bakso, sate, and rendang bring to mind? For many, the answer is โ€œnothingโ€; foodies will recognize them as Indonesian staples; while those who follow cybersecurity news will remember an attack on the Node Package Manager (npm) ecosystem โ€” the tool that lets developers use prebuilt libraries instead of writing every line of code from scratch.

In mid-November, security researcher Paul McCarty reported the discovery of a spam campaign aimed at cluttering the npm registry. Of course, meaningless packages have appeared in the registry before, but in this case, tens of thousands of modules were found with no useful function. Their sole purpose was to inject completely unnecessary dependencies into projects.

The package names featured randomly inserted Indonesian dish names and culinary terms such as bakso, sate, and rendang, which is how the campaign earned the moniker โ€œIndonesianFoodsโ€. The scale was impressive: at the time of discovery, approximately 86ย 000 packages had been identified.

Below, we dive into how this happened, and what the attackers were actually after.

Inside IndonesianFoods

At first glance, the IndonesianFoods packages didnโ€™t look like obvious junk. They featured standard structures, valid configuration files, and even well-formatted documentation. According to researchers at Endor Labs, this camouflage allowed the packages to persist in the npm registry for nearly two years.

Itโ€™s not as if the attackers were aggressively trying to insert their creations into external projects. Instead, they simply flooded the ecosystem with legitimate-looking code, waiting for someone to make a typo or accidentally pick their library from search results. Itโ€™s a bit unclear exactly what youโ€™d have to be searching for to mistake a package name for an Indonesian dish, but the original research notes that at least 11 projects somehow managed to include these packages in their builds.

A small portion of these junk packages had a self-replication mechanism baked in: once installed, they would create and publish new packages to the npm registry every seven seconds. These new modules featured random names (also related to Indonesian cuisine) and version numbers โ€” all published, as youโ€™d expect, using the victimโ€™s credentials.

Other malicious packages integrated with the TEA blockchain platform. The TEA project was designed to reward open-source creators with tokens in proportion to the popularity and usage of their code โ€” theoretically operating on a โ€œProof of Contributionโ€ model.

A significant portion of these packages contained no actual functionality at all, yet they often carried a dozen dependencies โ€” which, as you might guess, pointed to other spam projects within the same campaign. Thus, if a victim mistakenly includes one of these malicious packages, it pulls in several others, some of which have their own dependencies. The result is a final project cluttered with a massive amount of redundant code.

Whatโ€™s in it for the attackers?

There are two primary theories. The most obvious is that this entire elaborate spam campaign was designed to exploit the aforementioned TEA protocol. Essentially, without making any useful contribution to the open-source community, the attackers earn TEA tokens โ€” which are standard digital assets that can be swapped for other cryptocurrencies on exchanges. By using a web of dependencies and self-replication mechanisms, the attackers pose as legitimate open-source developers to artificially inflate the significance and usage metrics of their packages. In the README files of certain packages, the attackers even boast about their earnings.

However, thereโ€™s a more chilling theory. For instance, researcher Garrett Calpouzos suggests that what weโ€™re seeing is merely a proof of concept. The IndonesianFoods campaign could be road-testing a new malware delivery method intended to be sold later to other threat actors.

Why you donโ€™t want junk in your projects

At first glance, the danger to software development organizations might not be obvious: sure, IndonesianFoods clutters the ecosystem, but it doesnโ€™t seem to carry an immediate threat like ransomware or data breaches.ย  However, redundant dependencies bloat code and waste developersโ€™ system resources. Furthermore, junk packages published under your organizationโ€™s name can take a serious toll on your reputation within the developer community.

We also canโ€™t dismiss Calpouzosโ€™s theory. If those spam packages pulled into your software receive an update that introduces truly malicious functionality, they could become a threat not just to your organization, but to your users as well โ€” evolving into a full-blown supply chain attack.

How to safeguard your organization

Spam packages donโ€™t just wander into a project on their own; installing them requires a lapse in judgment from a developer. Therefore, we recommend regularly raising awareness among employees โ€” even the tech-savvy ones โ€” about modern cyberthreats. Our interactive training platform, KASAP (Kaspersky Automated Security Awareness Platform), can help with that.

Additionally, you can prevent infection by using a specialized solution for protecting containerized environments. It scans images and third-party dependencies, integrates into the build process, and monitors containers during runtime.

If you want to learn more about supply chain attacks, we invite you to look at our analytical report Supply chain reaction: securing the global digital ecosystem in an age of interdependence. Itโ€™s based on insights from technical experts and reveals how often organizations face supply-chain and trusted-relationship risks, and how they perceive them.

  •  

Microsofts winapp-tool kan ontwikkelomgevingen opzetten via de commandline

Microsoft heeft een tool uitgebracht waarmee Windows-ontwikkelaars vanaf de commandline ontwikkeltaken kunnen uitvoeren. Winapp is bedoeld voor ontwikkelaars die met meerdere frameworks werken en geen ide's als Visual Studio gebruiken. De tool kan eenvoudig de benodigde sdk's downloaden of appmanifests bijwerken.
  •  

Exploit Development โ€“ A Sincere Form of Flattery

moth // Recently, BHIS penetration tester Dale Hobbs was on an Internal Network Penetration Test and came across an RPC-based arbitrary command execution vulnerability in his vulnerability scan results.ย  I [โ€ฆ]

The post Exploit Development โ€“ A Sincere Form of Flattery appeared first on Black Hills Information Security, Inc..

  •  

Lawrenceโ€™s List 080516

Lawrence Hoffman // With BlackHat and DefCon happening as I type itโ€™s hard to choose whatโ€™s going to make this list. I will probably save most of the big shiny [โ€ฆ]

The post Lawrenceโ€™s List 080516 appeared first on Black Hills Information Security, Inc..

  •  
โŒ