A newly identified North Korean threat actor, named Moonstone Sleet, has been expanding its distribution of malicious Node Package Manager (npm) code to public registries, targeting the software supply chain by poisoning open-source code repositories. This group differentiates itself from other state-sponsored entities, such as the well-known Lazarus group, by using unique techniques like a single-package approach that executes its payload immediately upon installation. Unlike Lazarus, which uses a dual-package method to obscure its activities, Moonstone Sleet’s recent packages are more sophisticated, targeting both Windows and Linux systems.
Moonstone Sleet’s activity highlights the growing threat to the open-source ecosystem, as the group leverages the trust developers place in public registries to spread its malicious code. Researchers from CheckMarx, who uncovered the breadth of Moonstone Sleet’s operations, emphasized that this group is a serious threat to various industries, including aerospace, education, and software development. The group’s tactics include using malicious npm packages to infiltrate organizations by applying for remote tech jobs, spreading their malicious code through platforms like LinkedIn and freelancer websites.
CheckMarx researchers also pointed out that the attack on the software supply chain is not a new tactic but has been used in the past, as seen with the XZ Utils data compression utility incident. Moonstone Sleet’s activities underscore the persistent and evolving nature of threats to the open-source community, which has become a prime target for powerful adversaries like North Korea. The group’s methods are not just limited to code obfuscation but also involve sophisticated techniques to evade detection and target multiple operating systems.
The ongoing attacks by Moonstone Sleet, coupled with similar efforts by other North Korean and Russian threat actors, highlight the importance of securing the software supply chain. Developers and organizations are urged to be vigilant, scanning code for malicious behaviors before making it available to developers. Collaborative efforts within the open-source community and sharing information with the security community are critical in identifying and thwarting these attacks to ensure a safer and more secure open-source ecosystem.
Reference:
