_Igor_Stevanovic_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
June 13, 2024 at 03:33PM
A newly identified North Korean threat actor, Moonstone Sleet, is expanding its distribution of malicious npm packages to public registries, targeting the software supply chain and open source code repositories. It differentiates itself through various techniques, posing a growing risk to the open source community. Organizations are urged to implement proactive measures to ensure software supply chain security.
The meeting notes highlight a significant increase in malicious activity by a newly identified North Korean threat actor, called Moonstone Sleet, targeting the software supply chain through poisoning open source code repositories. This group has been engaging in espionage and financial cyberattacks against aerospace, education, and software organizations and developers.
One notable aspect of Moonstone Sleet’s activity is its wider distribution of malicious npm packages in public open source package repositories, allowing the group to expand its attack surface. CheckMarx researchers emphasized that the open-source ecosystem has become a prime target for powerful adversaries such as Moonstone Sleet, particularly in light of recent attacks by Russian and North Korean threat actors.
Moonstone Sleet has also differentiated itself from another North Korean actor, Lazarus, through the structure and style of its malicious code packages. For example, Moonstone Sleet uses a single-package approach executing its payload immediately upon installation, and has adapted its code to target Linux systems, while Lazarus designed its packages to work in pairs to make it more challenging to detect and trace the malicious activity back to a single source.
The meeting notes stress the growing risk posed by the persistent campaign of North Korean threat actors in publishing malicious npm packages, highlighting the need for organizations to take responsibility for ensuring the safety of the software supply chain. This includes scanning code in packages for malicious behaviors before making them available to developers, as well as collaborating and sharing information within the security community to identify and thwart these attacks. Overall, the meeting notes underscore the evolving threat to the open-source ecosystem and the importance of proactive measures to safeguard its security and integrity.