Tech

Dev Popper: How Social Engineering Exploits Developers with Fake Job Offers

Post by Anđela Milenković
Subscribe to our blog articles!
April 2, 2025 | 6 minutes read

In our previous blog posts, we’ve explored social engineering as a sophisticated tactic used by threat actors to manipulate individuals into revealing confidential information or taking actions they usually wouldn’t. This tactic is commonly used in various attacks to trick victims into running malicious code. Social engineering is challenging to spot because it exploits essential human traits like trust, fear, or the desire to help others.

In this blog, we’ll focus on a specific social engineering campaign called “DevPopper.” This campaign targets software developers through fake job interviews and ultimately delivers a Python-based remote access trojan (RAT).

The attack leverages npm packages, which developers widely use. Due to npm’s popularity, it has become a prime target for malicious actors. Attackers either publish new packages or compromise existing ones, introducing malware that can modify or exfiltrate sensitive data from users who install these packages.

Newer variants of this attack have enhanced capabilities and now target Linux, Windows, and macOS devices.

Understanding the Remote Access Trojan (RAT) in Dev Popper

DevPopper is a deceptive cyber threat that uses fake job interviews to distribute a remote access trojan. Cyberattacks previously focused on blocking access to systems or destroying information. However, these attacks have evolved and now include the ability to steal user information remotely.
A Remote Access Trojan (RAT) is a malicious malware that allows attackers to view and modify user files, manipulate system functions, monitor and log user activities, and even use the victim’s system to launch attacks on other systems. [1] Essentially, it gives the attacker full administrative privileges and remote control of the target computer.

This type of malware can easily hide within a system, using advanced infection techniques that often allow it to evade detection by security software. A user typically becomes a victim by unknowingly downloading the malware alongside a seemingly legitimate program or through phishing.
RATs are specifically designed to look like legitimate computer content. Once installed on a victim’s computer, the RAT connects to a command-and-control server (C2) controlled by the attacker. From there, the attacker can monitor the user’s behavior, access their trusted information, activate the system’s webcam, distribute additional malware or viruses, and delete, download, or modify files.

What is Dev Popper, and How Does the Attack Operate?

Dev Popper is a social engineering campaign in which attackers impersonate interviewers looking to hire software developers for non-existent positions. The first step in the attack involves the attacker using social engineering tactics to find suitable targets. They pose as employers offering job opportunities to developers, and once the victim expresses interest, the attacker directs them to download a coding task from GitHub. Inside the zip file is an npm (Node Package Manager) package disguised as a standard task. Npm is a popular tool among developers that helps manage JavaScript libraries and dependencies. [2]

Once the victim extracts and runs the contents of the package using the commands “npm install” and “npm start“, a hidden and obfuscated JavaScript file is activated. This file downloads a Python-based RAT, which can execute various malicious actions on the infected system. Once the RAT runs, it collects information about the system, such as the operating system, hardware details, installed software, keystrokes, usernames, passwords, screenshots, and location data. This information is then sent to a command-and-control server, allowing the attacker to maintain control over the infected machine.

Obfuscated JavaScript [3]

Python script that functions as a RAT [3]

The Securonix Threat Research team highlights that the malicious code is cleverly concealed in the bottom-right corner of the JavaScript file, making it challenging to detect. The code has a low detection rate on VirusTotal, with only 3 out of 64 vendors identifying it as a threat.

During the research, the team was able to uncover details about the JavaScript code. They found the C2 server’s address and port, as well as the methods used to send victim data back to the server. The script prepares and sends this information through HTTP POST requests, including time stamps, unique identifiers for the infected machine, operating system details, and other collected data. [4]

Hidden C2 Address [3]

The campaign has evolved, with the attackers using compromised software packages to distribute the malware and target developers across different platforms.

In this blog, we’ve focused on the social engineering aspect of the attack and will not discuss the technical details of the script functionalities. Understanding social engineering techniques is crucial. They are the initial step in exploiting the victim before any malicious activity takes place.


Conclusion

The Dev Popper campaign is a social engineering attack in which attackers pose as recruiters. They exploit the human vulnerabilities of software developers to deliver malicious code through platforms like GitHub, ultimately compromising sensitive data. This malware enables attackers to take control of infected systems.

While this specific attack targeted software developers, social engineering attacks are becoming more frequent and sophisticated, making them harder to detect and more straightforward to execute. Therefore, everyone needs to remain alert and cautious when dealing with unknown job offers or downloading packages from untrusted sources.

To protect ourselves, we should follow security best practices. Some of them are verifying the legitimacy of job offers, inspecting files before running them, and using tools that can detect suspicious activity. Awareness of the tactics used in social engineering attacks is key to preventing exploitation. By staying informed and adopting a proactive security mindset, we can better protect our systems.

  • [1] El-Metwaly, A. E., Abdelfattah, M. A., Maher, N. M., Hamed, M., Tayel, E. M., & Al-Rifai, M. A. (2024). Remote Access Trojan (RAT) attack: A stealthy cyber threat posing severe security risks. 2024 International Telecommunication Conferences. IEEE.
  • [2] Abdalkareem, R., Nourry, O., Wehaibi, S., Mujahid, S., & Shihab, E. (2017). Why do developers use trivial packages? An empirical case study on npm. Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017), 385-395.
  • [3] Securonix. (2025). Research update: Threat actors behind the DevPopper campaign have retooled and are continuing to target software developers via social engineering. Securonix.[4] Securonix. (2025). Analysis of DevPopper: New attack campaign targeting software developers likely associated with North Korean threat actors. Securonix.

Free Cybersecurity Consultation

Anđela Milenković

A smiling woman in a red suit, posing with her arms crossed.

Anđela Milenković

I am a Cybersecurity Engineer with professional experience since 2018, dedicated to protecting organisational computer networks and systems against a diverse range of threats. Holding a master’s degree in cybersecurity and numerous certifications, I am dedicated to perpetually enhancing my skill set and expanding my knowledge base. My passion for sharing knowledge with others has led me to embark on a writing journey, where I aim to impart my cybersecurity insights and expertise to a wider audience.

Share this post

Share this link via

Or copy link