Malicious North Korean packages appear again in open source code repository

Avatar

North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research.

The cybersecurity firm Phylum, which specializes in monitoring the supply chains of open-source software, said it recently observed a renewed surge of activity on npm from North Korean groups tracked as Contagious Interview and Moonstone Sleet. The npm repository allows developers to publish and share JavaScript packages, libraries and tools.

According to previous reports, Contagious Interview got the name because, in previous attacks, the hackers attempted to infect software developers with malware through a fictitious job interview. 

Moonstone Sleet has targeted software companies and defense firms with custom ransomware variants and elaborate scams. 

The North Korean regime is known for stealing cryptocurrency and running scams to fund its sanctioned nuclear weapons program and other operations.

Phylum said the malicious packages posted to npm are named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.

“These attacks are characterized by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers,” the researchers said.

The hackers’ goals likely include “exfiltrating sensitive data from cryptocurrency wallet browser extensions while establishing persistence on the victim’s machine.” 

“These adversaries continuously exploit the inherent trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or any other assets that could lead to illicit financial gains,” Phylum said.

CybercrimeNation-stateMalwareNews BriefsNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Researchers uncover ‘SlowTempest’ espionage campaign within China

Next Post

Iran cyber operations exposed in reports from Google, Microsoft

Related Posts

Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign

Nation-state threat actors backed by Beijing broke into a "handful" of U.S. internet service providers (ISPs) as part of a cyber espionage campaign orchestrated to glean sensitive information, The Wall Street Journal reported Wednesday. The activity has been attributed to a threat actor that Microsoft tracks as Salt Typhoon, which is also known as FamousSparrow and GhostEmperor. "Investigators
Avatar
Read More