Alert: Hackers Use Bogus npm Packages To Target Developers
North Korean threat actors have recently been observed publishing malicious packages to the npm registry. Reports claim that these acts now indicate unified efforts pertaining to developers being targeted with malware and the theft of cryptocurrency assets. In this article, we’ll uncover the details of these npm packages and determine tactics developers should stay clear of. Let’s begin.
npm Packages: Latest Attack Wave Observed
The latest wave of attacks using these npm packages was observed on August 12th and August 24th this year. The packages currently deemed malicious include:
- temp-etherscan-api.
- ethersscan-api.
- telegram-con.
- helmet-validate.
- qq-console.
Providing details about the techniques used with the npm packages campaigns and on the involvement of North Korean threat actors involvement, Phylum, a supply chain security firm, has stated that:
“Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as ‘Contagious Interview.”
Contagious Interview Uncovered
Contagious interview is a North Korean cyberattack campaign. The aim of this campaign is to compromise software developers by deploying information-stealing malware. Such malware is used in a maliciously fabricated job interview process.
It tricks users into downloading bogus packages. Apart from this, users can also be tricked into downloading fake installers for video conferencing softwares. MiroTalk is a common example of such installers, and they’re often hosted on decoy websites.
The final objective of these attacks is to deploy a Python payload named InvisibleFerret. This payload can acquire sensitive data from cryptocurrency wallet extensions. In addition, it can also develop persistence on the target device.
Developers looking to mitigate the risk of such a threat must know that the remote desktop software AnyDesk is a part of the threat actor arsenal.
Malicious npm Packages Used In The Attacks
As per Phylum’s investigation of the attack, a newly observed helmet-validate package adopts a varying approach. It basically embeds a piece of JavaScript code file named “config.js.” This file directly executes the JavaScript hosted on a remote domain called “ipcheck[.]cloud” by using the eval() function.
Providing details regarding the domain, Phylum has stated that:
“Our investigation revealed that ipcheck[.]cloud resolves to the same IP address (167[.]88[.]36[.]13) that mirotalk[.]net resolved to when it was online.”
Another one of the npm packages that was discovered is called “saas-notification.” The package was uploaded on August 27th, 2024, and had similarities with previously uncovered npm libraries called “call-blockflow.”
It’s worth mentioning that these packages are linked to Moonstone Sleet, another North Korean threat actor group. Commenting on these attacks, Phylum stated that:
“These attacks are characterized by using obfuscated JavaScript to write and execute batch and PowerShell scripts. The scripts download and decrypt a remote payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim’s machine.”
Conclusion
To safeguard against these evolving threats, developers must remain vigilant, scrutinize npm packages, and be aware of North Korean cyber campaigns like Contagious Interview and Moonstone Sleet. By implementing stringent security measures, staying informed, and adopting secure coding practices, developers can significantly reduce the risk of falling victim to such sophisticated attacks.
The sources for this piece include articles in The Hacker News and The Record.