There were indications of inexperience within the scripts used in the payload, including the use of an AI assistant for writing the malicious code which the researchers could tell from the characteristic comments explaining almost each line of code.
Additionally, the account “bvk” used to upload these packages had been dormant since its creation in June 2023. This fact, itself, should have been a telling sign for developers, believes Mike McGuire, senior security solutions manager at Black Duck.
In a comment to CSO, McGuire said, “In their eagerness to leverage DeepSeek in their tasks, many developers missed the “red flag” that they were downloading packages from an account with a limited, poor reputation, and had their environment variables and secrets compromised as a result.”
