North Korean Hackers Targeting Developers with Malicious npm Packages

North Korean Hackers Targeting Developers with Malicious npm Packages

February 26, 2024 at 07:39AM

Fake npm packages linked to North Korean state-sponsored actors were discovered on the Node.js repository, posing a software supply chain attack. The malicious packages, posing as legitimate ones, installed cryptocurrency and credential stealers. The attackers made efforts to conceal the code and made connections to North Korean threat actors. Vigilance against such open-source code attacks is crucial.

From the meeting notes, it is clear that a set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors. The malicious npm package, execution-time-async, which was downloaded 302 times before being taken down, was found to contain a cryptocurrency and credential stealer. The threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch next-stage payloads from a remote server and retrieve various malicious scripts.

Further investigation revealed connections to North Korean actors through the analysis of GitHub accounts that were involved in forking repositories and attempts to actively circumvent takedown attempts. Additionally, the campaign overlaps with another JavaScript-based malware campaign dubbed BeaverTail, which is propagated through npm packages.

The campaign, codenamed Contagious Interview, mainly targets developers through fake identities in freelance job portals to trick them into installing rogue npm packages. It’s crucial for individual developers and software development organizations to remain vigilant against these attacks in open-source code.

Full Article