Fake Python job opportunities used to attack programmers

  • jonne@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    3 months ago

    I’m assuming they just send you a zip file with an ‘existing codebase’ where somewhere in a hidden dependency a bit of code does something nefarious when you first run the project. You don’t even need root access to do something bad, your whole home directory is interesting enough as it is (emails, SSH keys, saved browser passwords, etc).

    Not everyone is going to do a coding test in a separate account or in a VM.