North Korean hackers target developers in latest npm attack wave

Sep 02, 2024

A fresh offensive by suspected North Korean hacking groups has targeted the open-source software community with a series of malicious packages uploaded to the npm repository.

Identified by cybersecurity firm Phylum, the attacks leverage multiple techniques and appear designed to steal cryptocurrency and sensitive data from unsuspecting developers.

The campaign began on 12th August and involves several distinct publication patterns and attack types, suggesting the involvement of multiple groups or a coordinated effort with shared objectives.

“These attacks are characterised by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers,” explains Phylum.

These components – which include Python scripts and even a full Python interpreter – systematically scour infected machines for cryptocurrency wallets and other sensitive information, then attempt to exfiltrate the data.

Phylum highlights three distinct attack vectors employed in this campaign, linking some to previously identified North Korean operations:

  • Contagious Interview: Packages like “temp-etherscan-api,” “ethersscan-api,” and “qq-console” exhibit behaviours consistent with the “Contagious Interview” campaign, previously observed in February and June of this year.
  • Fake job lures: The “helmet-validate” package directly executes code from a server linked to the “mirotalk[.]net” domain, previously used in fake job listing scams attributed to North Korean actors.
  • Moonstone Sleet: The “sass-notification” package employs obfuscated JavaScript to deploy malicious payloads, echoing methods observed in the “Moonstone Sleet” campaign reported by Phylum in November 2023 and July 2024.

Publication timeline:

Name Version Publication Time
qq-console 0.0.1 2024-08-27 19:07
sass-notification 1.0.0 2024-08-27 18:15
helmet-validate 0.0.1 2024-08-23 02:39
ethersscan-api 0.0.3 2024-08-23 02:31
telegram-con 0.0.1 2024-08-23 02:31
ethersscan-api 0.0.2 2024-08-12 03:53
ethersscan-api 0.0.1 2024-08-12 03:53
temp-etherscan-api 0.0.1 2024-08-12 02:47

“The diversity and simultaneous deployment of these attack vectors reveal a coordinated and relentless campaign by North Korean-aligned threat actors,” warns Phylum.

This latest wave of attacks underscores the ongoing threat to software supply chains, particularly those reliant on open-source repositories like npm. Threat actors continue to exploit the inherent trust within these ecosystems to target developers, potentially compromising countless downstream users.

(Photo by Silas Baisch)

See also: GitHub Enterprise Server 3.13.3 tackles critical SAML vulnerability

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: cyber security, cybersecurity, hacking, infosec, north korea, npm, phylum, security