Recent findings by cybersecurity firm Phylum reveal a concerning development in the software supply chain, as fake npm packages on the Node.js repository have been linked to North Korean state-sponsored actors. Disguised as legitimate utilities like execution-time-async and data-time-utils, these packages, when downloaded, install malicious scripts, including a cryptocurrency and credential stealer. The attackers took measures to obfuscate the code, concealing it within a test file, making detection challenging. Notably, the malicious npm package execution-time-async, masquerading as its authentic counterpart, was downloaded 302 times before its removal on February 4, 2024.
The threat actors behind this campaign made sophisticated efforts to fetch next-stage payloads, targeting browsers such as Brave, Google Chrome, and Opera. Phylum identified clues in the source code leading to a GitHub profile named “Nino Acuna” or binaryExDev, associated with a repository called File-Uploader. The campaign seems to be ongoing, with at least four more suspicious packages making their way to the npm package repository, accumulating a total of 325 downloads.
Connecting the dots, Phylum uncovered links to North Korean actors through shared repositories and tactics reminiscent of previous campaigns, such as Contagious Interview. Developers are urged to remain vigilant, especially in open-source environments, where attackers use elaborate schemes to distribute rogue npm packages.
Reference: