Fake Python job opportunities used to attack programmers
For anyone who’s brain is stuck in QA mode, they mean “coding skills test,” not some tool to test code.
I read the entire article with the wrong paradigm and got confused when I didn’t see the vector for infection.
the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present.
So, a supply chain attack or they’re sending you code to run?
This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs.
Virtual environments are not isolated sandboxes. This is not a security feature. Do not expect any kind of safety by running things in a venv.
I’m assuming they just send you a zip file with an ‘existing codebase’ where somewhere in a hidden dependency a bit of code does something nefarious when you first run the project. You don’t even need root access to do something bad, your whole home directory is interesting enough as it is (emails, SSH keys, saved browser passwords, etc).
Not everyone is going to do a coding test in a separate account or in a VM.
Strange. When I shared the permalink of this Lemmy post on Discord, it embedded the wrong title and thumbnail…
“After 30 Years, Linux Finally Hits 3% Market Share”
I noticed this today too, no idea what is going on. Need to reach out to the instance admin, since it’s only happening on my instance as far as I can see.
