October 28, 2024 at 11:36AM
In September 2024, three malicious npm packages were discovered containing BeaverTail malware, linked to North Korean campaigns targeting developers. The packages, now removed, included backdoored versions of popular libraries. Ongoing threats exploit the open-source ecosystem, highlighting developers as valuable targets in cyberattacks.
### Meeting Takeaways: Malware / Threat Intelligence – October 28, 2024
1. **Malicious Packages Identified**: Three malicious npm packages containing BeaverTail malware were discovered:
– **passports-js** (118 downloads)
– **bcrypts-js** (81 downloads)
– **blockscan-api** (124 downloads)
– All these packages have been removed from the npm registry.
2. **Ongoing Campaign**: These incidents are linked to the ongoing North Korean campaign labeled **Contagious Interview**, which aims to deceive developers into downloading malicious software disguised as coding tests or legitimate applications.
3. **Threat Actor Tracking**: The activity is being monitored by the Datadog Security Research team under the name **Tenacious Pungsan** and associated with other identifiers: CL-STA-0240 and Famous Chollima.
4. **Historical Context**: The use of npm packages to distribute BeaverTail is not new. In August 2024, Phylum documented a similar case involving different but related packages that included threats like InvisibleFerret.
5. **Target Sector**: The cryptocurrency sector appears to be a persistent target, as demonstrated by repeated attempts to replicate popular packages like etherscan-api.
6. **Recent Detection**: Stacklok noted the emergence of additional counterfeit packages (eslint-module-conf and eslint-scope-util) meant to extract cryptocurrency and maintain access to compromised developer machines.
7. **Exploiting Trust**: The campaign has effectively leveraged job seekers’ trust and urgency, highlighting vulnerabilities in the software supply chain, particularly among individual developers.
8. **Key Insight**: Copying and backdooring legitimate npm packages remains a prevalent strategy among threat actors, emphasizing the importance of security within the open-source ecosystem.
### Action Items
– Ensure awareness of these threats among developer teams.
– Consider implementing additional security measures for monitoring npm packages.
– Stay updated on similar malicious activities and share findings within the organization.
For more updates, follow us on Twitter and LinkedIn.