AI, Malware, and the Rise of Software Development Infiltration
August 27, 2025
5 minute read
For years, security teams have focused on defending against malicious code injected into open source projects and package repositories. Tracking espionage campaigns, shadow downloads, and targeted malware was the main priority. But the threat has shifted. Hostile nation-state actors are no longer just attacking software externally—they are embedding themselves inside the teams that build it.
A recent report by CrowdStrike, highlighted by Fortune, reveals a sharp increase in this tactic. Over the past year, North Korean IT operatives posing as legitimate software developers have infiltrated more than 320 companies—a 220% jump from the previous year. Their targets range from Fortune 500 giants to smaller tech firms worldwide. Their toolkit now includes a new weapon: artificial intelligence (AI).
The Tactic: Becoming the Developer
The North Korean program, known as "Famous Chollima" by CrowdStrike, trains thousands of operatives in software engineering, English, and Western business practices. These operatives often work in teams located in third-party countries like China, Russia, and Poland. Each is expected to generate over $10,000 per month for the regime.
- Generate revenue to bypass sanctions and fund weapons programs (estimated $250M to $600M yearly).
- Gain insider access to software projects for intelligence or backdoors.
- Embed long-term within development teams to steal intellectual property or sabotage operations.
This is more than a malware attack. It’s about establishing a foothold inside the software development process. Developers hold privileged access to an organization’s critical assets—code and build systems. When threat actors embed themselves inside development infrastructure, they gain a prime entry point to insert malicious code, steal data, or disrupt the software supply chain.
AI as a Force Multiplier
AI supports every stage of this infiltration strategy:
- Identity fabrication: Deepfake photos, forged documents, and synthetic personas bypass HR checks.
- Interview assistance: AI-generated answers and real-time deepfake masking help operatives convincingly play roles during interviews.
- On-the-job support: AI chatbots assist in writing code, managing communications, and juggling multiple jobs without revealing the operative’s true identity or location.
This AI-powered social engineering is no longer limited to phishing or malware. It now targets hiring and collaboration within development teams directly.
From Laptop Farms to Global Networks
U.S. law enforcement has disrupted many domestic "laptop farm" operations, but the model is now spreading internationally. Operations have moved to Western Europe, where laptops are shipped under false pretenses like "family emergencies" or "medical leave." These devices are then remotely accessed by operatives abroad. A company hiring what appears to be a Romanian or Polish developer may soon find their hardware and credentials controlled by a North Korean operative.
Why This Matters for Software Security
Software supply chain security often focuses on code artifacts such as packages, dependencies, and commits. This trend reveals a hard truth: the human element is part of the supply chain. If an adversary is already a developer within your organization, every pull request, architecture discussion, and CI/CD pipeline is at risk. Insider threat, nation-state espionage, and supply chain compromise are blending into one.
Defensive Shifts: From Code-First to People-First
Defending against this threat requires applying "zero trust" principles beyond infrastructure and applications—to hiring and personnel practices:
- Rigorous Identity Verification: Independently verify references, employment history, and contact details instead of relying solely on applicant-provided info.
- Geographic and Device Controls: Monitor shipping addresses and device transfers carefully, especially for remote hires in sensitive regions.
- Access Minimization: Limit permissions, enforce time-bound access, and watch for unusual activity in development environments.
- Ongoing Verification: Don’t assume trust is permanent. Periodically re-verify identities and device locations to detect late-stage compromises.
The Bigger Picture
This wave of infiltrations goes beyond North Korea. It reflects a broader shift in how adversaries target software development. Research shows generative AI speeds up both defense and attack—helping defenders detect threats faster while giving attackers scalable tools.
Securing the software supply chain demands attention to both code and the people building it. The same care given to scanning dependencies and vetting packages must now apply to personnel. Only with this combined focus can organizations maintain the integrity of their software development.
For IT and development professionals seeking to understand AI’s evolving role in security and software development, exploring focused AI training courses can provide valuable insights. Check out Complete AI Training's latest AI courses for practical knowledge on AI's impact in development and security.
Your membership also unlocks:
