ReadMe
Founded Year
2014Stage
Series A | AliveTotal Raised
$10.29MLast Raised
$9M | 5 yrs agoMosaic Score The Mosaic Score is an algorithm that measures the overall financial health and market potential of private companies.
-1 points in the past 30 days
About ReadMe
ReadMe is an online platform for companies to document and showcase their application programming interface (API). The company offers interactive developer hubs that transform static API documentation into interactive guides, providing onboarding, ongoing guidance, and usage insights. The services primarily cater to the software development industry. It was founded in 2014 and is based in San Francisco, California.
Loading...
Loading...
Latest ReadMe News
Sep 13, 2024
RL found the VMConnect campaign continuing with malicious actors posing as recruiters, using packages and the names of financial firms to lure developers. Read More... ReversingLabs researchers have identified new, malicious software packages believe to be linked to a campaign, VMConnect, that our team first identified in August 2023 and which has ties to the North Korean hacking team Lazarus Group. The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews. Furthermore, information gathered from the detected samples allowed us to identify one compromised developer and provided insights into an ongoing campaign, with attackers posing as employees of major financial services firms. Here is a detailed account of our discovery of the latest, malicious campaign. History In August 2023, ReversingLabs published two research posts describing the VMConnect campaign and its connection to North Korea's Lazarus Group . The relation to the Lazarus Group was based on information gathered in research conducted by Japanese CERT. As the team wrote at the time: Malicious PyPI packages that were pretty good imitations of popular, open source Python tools were discovered. Besides the functionality duplicated from the legitimate tools, they contained malicious downloader functionality, well hidden in the code base. Code similarities between the discovered samples and those found and documented as part of research by Japan’s CERT supported the attribution of the campaign to the North Korean APT Lazarus. Job interviews: A familiar attack vector The J apan CERT research provided additional insights into the methods of delivering malware used by this threat actor. One method that was of particular interest was the delivery of malware as a Windows Help file (CHM) embedded in an archive and the use of LinkedIn accounts pretending to be job recruiters to seed the malware to targeted individuals. This very same technique was described in research published by Palo Alto’s Unit 42 . That report noted malware authors also tried to convince their targets into downloading malicious NPM packages from GitHub repositories. In a scan earlier this year, the RL research team observed similar behaviors in association with a different set of packages. Researchers also found evidence that malicious threat actors are targeting Python developers, in addition to targeting npm and Javascript developers, as seen in the earlier campaigns. Spotting the threat ReversingLabs threat hunting workflows include the continuous monitoring of previously identified threats. RL tracks behavior indicators as well as YARA rules. One such threat hunting YARA rule created by Japan CERT and related to the VMConnect campaign looks for a specific, first stage Python downloader. In June 2024, this YARA rule got matched against several samples uploaded to our Spectra Intelligence platform, triggering a spectra detection. Our Spectra Intelligence platform enables security- and threat hunting teams to pivot on threat samples in a very simple way: identifying files and packages related to the sample you are looking at as quickly as possible. In Spectra Intelligence, this is easily done by looking at the Relationships tab (Figure 1) for a given file sample, which provides a list of parent- and container files from which the observed sample was extracted. Figure 1: Relationship information for the analyzed sample This analysis revealed that the direct parent of the detected, malicious files is a PythonPYC file, meaning that once again the team encountered malware hidden in a compiled Python file, a story similar to campaigns described in previous research posts in which the RL team described encountering malware hidden in compiled Python files. Practically, compiled PYC files are used in cases when the source code in a plaintext python file with the same name hasn't been modified since the date of the most recent version of the compiled file. In that case, the cached compiled file is presumed to be identical to the non-compiled file and gets executed, resulting in faster execution. As RL researchers mentioned in our earlier discussion, this feature poses a risk. First, it is more difficult to scan compiled Python files than plaintext files, as they are packed into a binary format, making them unreadable without specialized tools. In the case of the newly discovered packages, further inspection of the files revealed that the plaintext Python files with the same names also contained the malicious code. However, the malicious project would function even if these plaintext files weren’t shipped, as the malicious code would get executed from the cached, compiled PYC file. The lure: Developer coding tests Pivoting again on the direct parent file and looking at its relationships to other files revealed links to several top-level open source containers. This gave us insight into the nature of this malicious campaign. Looking at their content shows that all of them represent coding skills tests linked to job interviews. For example, the team sees archives with names like Python_Skill_Assessment.zip and Python_Skill_Test.zip. This correlates with the fake job interview attack seen in prior campaigns. Figure 2: Content of the README file instructing job candidate to execute malicious code The content of nearly identical README files included with the packages provides more insight into what the victim encountered. They contain instructions for the job candidates to find and fix a bug in a password manager application, republishing their fix and taking screenshots to document their coding work. The README files tell would-be candidates to make sure the project is running successfully on their system before making modifications. That instruction is intended to make sure that the malware execution is triggered regardless of whether the job candidate (aka “the target”) completes the assigned coding assignment. Figure 3: File hierarchy of the PasswordManager project distributed as the interview task The malware Specifically, the malicious code our research team identified in this campaign was contained in altered pyperclip and pyrebase modules. The malicious code is present in both the __init__.py file and its corresponding compiled Python file (PYC) inside the __pycache__ directory of respective modules. Figure 4: Base64 encoded malicious downloader code from __init__.py file The code is implemented as a Base64 encoded string which hides downloader code. The malicious functionality in this file is identical to that observed in the samples from earlier iterations of the VMConnect campaign. Once again, RL researchers observed Base64 encoded malicious code making a HTTP POST request to the C2 server and executes Python commands received in the response. Figure 5: Execution of base64 encoded malicious downloader code from __init__.py file Loaded tests: How developers were targeted While pivoting on sample 6a8b8bbd83ea4cfeaadaf397700f75681aaddbea to view its parent relations, we came across a related archive named Python_Skill_Test. As its name suggests, this package posed as a coding skills test for the Python programming language. The Python_Skill_Test archive contains a README file with instructions for the developer. Figure 6: Urgency messages in README file from the Python_Skill_Test project Specifically, the instructions set a timeframe for completing the assignment (finding a coding flaw in the package and fixing it). It is clearly intended to create a sense of urgency for the would-be job seeker, thus making it more likely that he or she would execute the package without performing any type of security or even source code review first. That ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer’s system. Evidence of the who and how What made researching this campaign particularly interesting was the evidence we uncovered that identified likely victims of the campaign. In most of our research, we aren’t able to determine how the victims got infected with the malware they submit to us to analyze. That’s because our Spectra Intelligence product does not reside on users’ endpoints and, therefore, cannot see the initial stages of an attack. In the case of this campaign, however, there were artifacts in one of the solved coding tests submitted to the malicious actors that provided us with clues as to how the attack was framed, and also helped us identify one of the victims. Attackers pose as financial services firms As the Readme file shows, the malicious actors behind this campaign impersonated Capital One, a major U.S. financial services firm. Posing as financial services firms appears to be one of the characteristics of this campaign. For example, another archive we analyzed was named RookeryCapital_PythonTest.zip, invoking the name of another, less well-known financial services firm. There is no evidence linking any of these packages to code or packages belonging to these or other financial services firms, nor does it appear the firms in question were aware that malicious actors were illegally using their names as part of their malicious campaigns. Figure 7: Content of the Python_Skill_Test archive Config file reveals targeted developer Beyond identifying the means by which developers were targeted, a malicious package we analyzed may have also helped us identify one of the targeted developers. Specifically: when analyzing a .git folder present in one of the detected archives, we discovered a config file that contained the url of the original GitHub repository where the malware was hosted. That code repository has since been removed from GitHub. Figure 8: Content of the config file including the url to the original GitHub repository However, in addition to the config file, there was a logs directory which stored the changes made to refs in the repository and contains several HEAD files. In one of these HEAD files, we discovered the full name and email of the developer who cloned the repository and implemented the required feature, as required by the test. Figure 9: Content of the HEAD file containing developers full name and email Searching open source information for the name led us to a GitHub profile of the developer. After establishing contact with the developer, we confirmed that he had fallen victim to the malicious actor pretending to be a recruiter from Capital One in January, 2024. In an email exchange with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and provided with a link to the GitHub repository as a “homework task.” The developer was asked to “find the bug,” resolve it and push changes that addressed the bug. When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug — to make sure that developer executed the project on his machine. Figure 10: Newly published GitHub repository containing the same malicious code An active threat? While these attacks date back more than six months, there is evidence that this campaign is ongoing. Specifically: on July 31, RL came across a newly published GitHub repository named “testing” that was nearly identical to the earlier GitHub archives and contained the same malicious code. Digging deeper, there are some interesting coincidences associated with this newly discovered project and the older testing archives, such as: The account associated with the new GitHub project, ponpon262612, was created on January 19th 2024. That’s the very same day the developer we emailed was compromised in the attack, according to the log files we analyzed. The new GitHub account was dormant for months after it was created, but sprang to life, posting the new /testing project on July 31st, 2024 - the same day that ReversingLabs first established contact with the compromised developer. Figure 11: Activities of the GitHub account publishing new packages Is this a coincidence? Probably not. The correlation between the new project being published to GitHub on the same day that we reached out to one of the targeted developers regarding our discovery of the earlier, malicious GitHub archives may be a sign that the malicious actor still has access to the developer’s system and was privy to his communications. Seeing that their malicious project had been exposed might have prompted the malicious actor to post a carbon copy of it under another name. Another possibility is that the developer we exchanged emails with is actually linked to this campaign in some way, not simply a victim of it. Regardless, the new repository was reported to the GitHub security team and has been removed.. However, since the entire campaign has been active since early 2023 and new malicious samples and projects still surface from time to time, we believe it is safe to call this an “active campaign” and one that will likely remain active for some time. Conclusion One obvious conclusion from our latest findings, and the previously documented VMConnect campaign is “this story isn’t over.” Our research revealed continued malicious activity targeting developers working within sensitive organizations, with malicious Python packages that closely mirrored the kinds of threats documented in 2023 as part of the VMConnect campaign. As we noted, the details revealed by our analysis of the packages in question make clear that malicious actors were targeting developers and looking to install malicious downloaders on developer systems capable of fetching second and third stage malware such as backdoors and info stealers. Just like malicious attachments sent via email messages or web links, the developer “test” packages delivered via LinkedIn DMs likely provided a means of gaining a foothold on developer endpoints and, thereafter, exploit the developer’s permissions to move laterally and exploit other, higher value IT assets. Campaigns such as this that leverage open source packages and platforms to target developers are a growing trend among sophisticated cyber criminal and nation-state groups. North Korea’s Lazarus Group, which is believed to be behind this campaign, is a good indicator of how such threats are playing out. Lazarus is an advanced and very active threat actor focused on financial gain and cryptocurrency theft to benefit the government of North Korea. Threat reports from other research groups show that Lazarus and other North Korean threat actors are using a wide spectrum of offensive means to achieve their goals, including targeting developers and development organizations to infiltrate sensitive networks. To address this growing risk, organizations need to be on the lookout for such downloads while also educating their developers and other technical staff to be wary of any effort to trick them into downloading and executing code from an unknown source on their system. Keep learning Find the best building blocks for your next app with RL's Spectra Assure Community , where you can quickly search the latest safe packages on npm, PyPI and RubyGems. Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our White Paper .
ReadMe Frequently Asked Questions (FAQ)
When was ReadMe founded?
ReadMe was founded in 2014.
Where is ReadMe's headquarters?
ReadMe's headquarters is located at 14 Geary Street, San Francisco.
What is ReadMe's latest funding round?
ReadMe's latest funding round is Series A.
How much did ReadMe raise?
ReadMe raised a total of $10.29M.
Who are the investors of ReadMe?
Investors of ReadMe include Y Combinator, Accel, Bessemer Venture Partners, Mission and Market, F-Prime Capital and 5 more.
Who are ReadMe's competitors?
Competitors of ReadMe include StopLight and 4 more.
Loading...
Compare ReadMe to Competitors
Itorix focuses on providing enterprise-grade API (Application Programming Interface) lifecycle management and improved API governance in the Information Technology (IT) sector. The company offers a platform that manages the entire API lifecycle, from design and build to testing and deployment, with features such as automated workflows, versioning, and built-in plugins. It primarily serves businesses in the IT industry that require API strategy and management. It was founded in 2018 and is based in Bellevue, Washington.
HyperTest is a company that focuses on providing autonomous API testing and observability solutions in the tech industry. The company offers a no-code tool that uses network traffic to automatically generate end-to-end API tests, eliminating the need for teams to write or maintain any test suite. This tool is primarily used by teams in sectors such as ecommerce, fintech, SaaS, and Edtech. It was founded in 2019 and is based in Gurgaon, India.
Postman serves as an API platform in the technology sector, focusing on streamlining the API development process. The company offers a suite of tools that simplify building, testing, and collaborating on APIs, making it accessible for developers and organizations to create and manage APIs efficiently. Postman primarily serves the software development industry. It was founded in 2014 and is based in San Francisco, California.
Hasura is a software company that operates in the application development industry. The company provides a platform that generates instant GraphQL and REST APIs on new and existing data sources, simplifying and accelerating the process of application development. Hasura primarily serves the software development and tech industries. It was founded in 2017 and is based in San Francisco, California.
Lunar provides software development focused on API management. The company offers a platform for managing and optimizing 3rd party API usage, insights, and controls to ensure performance. It serves the software development and DevOps industries. It was founded in 2022 and is based in Tel Aviv-Yafo, Israel.
Nevatech is a company that specializes in Service-Oriented Architecture (SOA) and API Management in various environments, operating within the technology and software industry. The company offers a platform called Sentinet, which provides services such as API management, security, monitoring, analytics, and governance. This platform is designed to help businesses secure, manage, and maximize the value of their data interactions across different services within the enterprise or in the cloud. It is based in Marietta, Georgia.
Loading...