In November, the Lazarus group, North Korea’s primary cyberespionage and sabotage arm, compromised a Taiwanese multimedia software company called CyberLink and trojanized the installer for one of its commercial applications. In February, Japan’s CERT reported that Lazarus uploaded malicious Python packages to PyPI, the official Python package repository.

One of the dangers of campaigns like DEV#POPPER is that some victims who fall for the fake job interview lure are current employees looking for better opportunities. As such, they likely have credentials and information about projects as part of their current jobs, highlighting the importance of treating developer machines as critical assets with strict access control and monitoring.

“​​Based on the gathered telemetry, no specific trend in victimology was identified,” the Securonix researchers wrote in their new report. “However, analysis of the collected samples revealed victims are primarily scattered across South Korea, North America, Europe, and the Middle East, indicating that the impact of the attack is widespread.”