Crypto developers targeted by Python malware disguised as coding challenges

The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment.

The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces, which is also known as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899.

“Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges,” security researcher Prashil Pattni said. “These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer.”

Read more at The Hacker News