North Korean Hackers Launch New Wave of npm Package Attacks

Security

A recent surge in malicious activity involving North Korean-linked threat groups has been identified by cybersecurity researchers, revealing a coordinated campaign targeting thenpm ecosystem.

The campaign began on August 12 2024, and involved publishing malicious npm packages designed to infiltrate developer environments and steal sensitive data.

The newly discovered packages, including temp-etherscan-api, ethersscan-api and telegram-con, exhibit sophisticated tactics such as multi-stage obfuscated JavaScript that downloads additional malware from remote servers.

Malicious npm Packages

According to a blog post published by Phylum today, the malware includes Python scripts and a full Python interpreter, which search for data in cryptocurrency wallet browser extensions while establishing persistence on the affected systems. Notably, the qq-console package is attributed to a known North Korean campaign named “Contagious Interview.”

Researchers identified another package, helmet-validate, published on August 23 2024, which employs a different attack method. It inserts JavaScript code that retrieves and executes malicious code from a remote endpoint, ipcheck[.]cloud. This domain is linked to previous North Korean operations, including fake job campaigns using the mirotalk[.]net domain, highlighting a pattern of recurring tactics.

The most recent package, sass-notification, was published on August 27 2024, and is linked to the “Moonstone Sleet” campaign. This package uses obfuscated JavaScript to run scripts that download, decrypt and execute remote payloads while removing traces of malicious activity, leaving behind what appears to be harmless software.

Read more on North Korean cyber-threats: North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts

Increasing Exploitation of npm By Threat Actors

Phylum warned these attacks underscore the increasing exploitation of npm by threat actors to compromise developer systems. 

“The diversity and simultaneous deployment of these attack vectors reveal a coordinated and relentless campaign by North Korean-aligned threat actors,” the company said.

“These adversaries continuously exploit the inherent trust in the npm ecosystem to compromise developers, infiltrate companies and steal cryptocurrency or any other assets that could lead to illicit financial gains.”

Products You May Like

Articles You May Like

New MedusaLocker Ransomware Variant Deployed by Threat Actor
Northern Ireland Police Data Leak Sees Service Fined by ICO
U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown
How Confidence Between Teams Impacts Cyber Incident Outcomes
Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *