North Korean-linked hackers have been using tainted Python packages to deploy a new malware named PondRAT, according to Palo Alto Networks’ Unit 42. PondRAT is a lightweight version of POOLRAT (also known as SIMPLESEA), a backdoor associated with the Lazarus Group and previously seen in the 3CX supply chain attack.
These attacks are part of a broader campaign called “Operation Dream Job,” where victims are tricked with fake job offers to download malware. Hackers uploaded malicious Python packages to the PyPI repository, including “real-ids,” “coloredtxt,” “beautifultext,” and “minisound,” which were downloaded hundreds of times before removal.
Once installed, the packages execute malicious code, retrieving and running versions of the PondRAT malware on Linux and macOS. PondRAT shares many similarities with POOLRAT, enabling file transfers, command execution, and delaying operations. This campaign, attributed to a group known as Gleaming Pisces (aka Citrine Sleet or Nickel Academy), aims to infiltrate developers’ systems to access supply chain vendors and their customers.
The use of legitimate-looking Python packages across multiple platforms poses a significant threat to organizations, risking malware infections that could compromise entire networks. The revelation follows reports that North Korean actors have infiltrated companies by submitting fake resumes and securing remote jobs, highlighting the sophisticated tactics of these nation-state-backed operations.