Malicious North Korean packages appear again in open source code repository

Avatar

North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research.

The cybersecurity firm Phylum, which specializes in monitoring the supply chains of open-source software, said it recently observed a renewed surge of activity on npm from North Korean groups tracked as Contagious Interview and Moonstone Sleet. The npm repository allows developers to publish and share JavaScript packages, libraries and tools.

According to previous reports, Contagious Interview got the name because, in previous attacks, the hackers attempted to infect software developers with malware through a fictitious job interview. 

Moonstone Sleet has targeted software companies and defense firms with custom ransomware variants and elaborate scams. 

The North Korean regime is known for stealing cryptocurrency and running scams to fund its sanctioned nuclear weapons program and other operations.

Phylum said the malicious packages posted to npm are named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.

“These attacks are characterized by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers,” the researchers said.

The hackers’ goals likely include “exfiltrating sensitive data from cryptocurrency wallet browser extensions while establishing persistence on the victim’s machine.” 

“These adversaries continuously exploit the inherent trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or any other assets that could lead to illicit financial gains,” Phylum said.

CybercrimeNation-stateMalwareNews BriefsNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Labor Day travelers urged to take precautions as Seattle airport struggles with cyberattack effects

Next Post

US agencies warn against ransomware group behind hundreds of attacks in recent months

Related Posts

U.S. Seizes 32 Pro-Russian Propaganda Domains in Major Disinformation Crackdown

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 32 internet domains used by a pro-Russian propaganda operation called Doppelganger as part of a sweeping set of actions. Accusing the Russian government-directed foreign malign influence campaign of violating U.S. money laundering and criminal trademark laws, the agency called out companies Social Design Agency (SDA),
Avatar
Read More