This all stinks of Lazarus:
https://en.wikipedia.org/wiki/Lazarus_Group
I've done incident responses for this exact type of attack multiple times. They've gotten much better organized lately and will often contact developers directly (over LinkedIn or WhatsApp) to run this type of attack. (Although, usually pretending to run a test for a job interview -- which is maybe why the author was confused about the code)
Why assume it is Lazarus?
This sort of an attack is comically simple to pull off with a 12b obliterated LLM model and some basic scripts and proxies.
Security has to evolve, or the world will be cooked by script kiddies running email loops.
There's really nothing sophisticated about this these days, and it's only a short matter of time before it becomes commonplace.
100%. I can't find it now, but someone last month posted a similar story on HN. The threat actor had stolen someone's GitHub account and altered their otherwise legitimate looking repo. They'll expend a lot of effort in order to masquerade and trick you. TraderTraitor is another good DPRK example.
Anyone reading - if you're ever a victim, worth reporting to your national CERT and your org. The CERT can provide advice, it's useful for their threat intel, and your org can check their systems. You might not be the end target.
[dead]