Watch out for North Korean hackers targeting developers with NPM

September 3, 2024
1 min read




North Korean Hackers Attack Developers Via Malicious NPM Packages

TLDR:

North Korean hackers are targeting developers with malicious NPM packages, using advanced techniques to deploy malware and steal sensitive information. This campaign, linked to the C2 “Contagious Interview,” utilizes multi-layered masked JavaScript and involves the use of typosquatted packages with obfuscated JavaScript payloads. The attackers use package.json script fields to invoke malicious code, highlighting the clear advancements in North Korean operations.

Article:

North Korean hackers are actively targeting developers via malicious NPM packages, using advanced tactics to deploy malware and steal sensitive information. The hackers have renewed their malicious campaign on npm, publishing multiple packages since August 12, 2024, including temp-etherscan-api, ethersscan-api, telegram-con, and qq-console. These packages contain multi-layered masked JavaScript that can retrieve additional malware features from the internet.

One of the methods used by the threat actors is embedding code in config.js and using the eval() construct to load external JavaScript. The attackers also use typosquatted packages with heavily obfuscated JavaScript payloads to execute multi-stage attacks, starting with batch scripts that spawn PowerShell processes. The campaign showcases the evolution of Tactics, Techniques, and Procedures (TTPs) utilized by North Korean APT groups, such as ‘Moonstone Sleet’, to target the developer community.

The attackers utilize package.json script fields to maliciously invoke code on npm install or during the build process, demonstrating their ability to evade static analysis and endpoint protection methods. The campaign highlights the sophistication of North Korean operations and their capability to avoid detection while carrying out supply chain attacks. By leveraging these advanced techniques, the threat actors can continue to operate and infiltrate developer systems undetected.

The IoCs (indicators of compromise) identified in this campaign include malicious sites like ipcheck[.]cloud, along with specific package names and version numbers. The researchers emphasize the importance of monitoring and securing npm packages to prevent further attacks and protect developer systems from compromise. Overall, this campaign underscores the need for heightened cybersecurity measures within the developer community to mitigate the risk posed by targeted attacks like these.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and