the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present.
So, a supply chain attack or they’re sending you code to run?
This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs.
Virtual environments are not isolated sandboxes. This is not a security feature. Do not expect any kind of safety by running things in a venv.
I’m assuming they just send you a zip file with an ‘existing codebase’ where somewhere in a hidden dependency a bit of code does something nefarious when you first run the project. You don’t even need root access to do something bad, your whole home directory is interesting enough as it is (emails, SSH keys, saved browser passwords, etc).
Not everyone is going to do a coding test in a separate account or in a VM.
So, a supply chain attack or they’re sending you code to run?
Virtual environments are not isolated sandboxes. This is not a security feature. Do not expect any kind of safety by running things in a venv.
I’m assuming they just send you a zip file with an ‘existing codebase’ where somewhere in a hidden dependency a bit of code does something nefarious when you first run the project. You don’t even need root access to do something bad, your whole home directory is interesting enough as it is (emails, SSH keys, saved browser passwords, etc).
Not everyone is going to do a coding test in a separate account or in a VM.