Hackers Use Fake Resumes to Steal Enterprise

What Happened

Security researchers have uncovered a sophisticated, multi-vector attack campaign linked to the notorious Conti ransomware syndicate. The operation employs two primary methods: a targeted phishing campaign and widespread software supply-chain attacks. In the phishing vector, attackers are targeting French-speaking corporate environments with highly convincing fake resumes. When opened, these documents deploy information-stealing malware and cryptocurrency miners. Simultaneously, the same threat actors, tracked as TeamPCP and Ghost Campaign, have poisoned popular open-source repositories. They have backdoored the massively popular “LiteLLM” package on PyPI and published at least seven malicious packages on npm, designed to steal credentials, authentication tokens, and cryptocurrency wallets from developers’ systems.

Why It Matters

This campaign represents a significant escalation in the blending of social engineering and software supply-chain compromise. The use of fake resumes exploits a common, trusted business process (recruitment) to gain an initial foothold in specific enterprises. Concurrently, the supply-chain attacks cast a much wider net, potentially compromising hundreds of thousands of developers globally. This dual approach allows the group to conduct both targeted intrusions and broad credential harvesting. The involvement of Conti affiliates suggests the stolen credentials and access could be used for more severe follow-on attacks, such as ransomware deployment or data theft, posing a substantial threat to organizational security.

Technical Details

The phishing campaign delivers malicious documents, often PDFs or Office files, that execute scripts to download payloads. These payloads include information stealers like Raccoon Stealer and cryptocurrency miners. The supply-chain attacks are more technical. The compromised LiteLLM PyPI package contained obfuscated code that harvested environment variables, cloud credentials, and API keys from infected systems. The malicious npm packages, with names like eslint-config-* and discord-selfbot-*, used similar obfuscation techniques to exfiltrate browser data, Discord tokens, and crypto wallet files to attacker-controlled servers.

Immediate Risk

The immediate risk is HIGH. The campaign is active and has already claimed to have stolen data from hundreds of thousands of developer systems via the poisoned packages. Any organization with French-speaking offices or developers using Python’s LiteLLM or the affected npm packages is at direct risk of credential compromise and cryptojacking. The established infrastructure and Conti ties indicate this is a professional, financially motivated operation likely to persist and evolve. Urgent action is required to scan for and remove the malicious packages and to educate staff on the resume-based phishing threat.

Security Insight

This operation underscores the critical need for defense-in-depth across both human and technical vectors. Organizations must enhance vetting of unsolicited job applications and train HR staff to recognize sophisticated phishing lures. Technically, robust software supply-chain security is non-negotiable. This includes implementing strict controls for open-source package usage, scanning dependencies for known malicious code, and monitoring for anomalous network traffic or system resource usage indicative of a cryptominer. Proactive hunting for the IOCs associated with these packages and phishing payloads is essential. For other critical vulnerabilities, such as the recent Php RCE Vulnerability (CVE-2026-27174) - Patch Now, timely patching remains a foundational security practice.