package
Image: Kindel Media via Pexels

Malicious North Korean packages appear again in open source code repository

North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research.

The cybersecurity firm Phylum, which specializes in monitoring the supply chains of open-source software, said it recently observed a renewed surge of activity on npm from North Korean groups tracked as Contagious Interview and Moonstone Sleet. The npm repository allows developers to publish and share JavaScript packages, libraries and tools.

According to previous reports, Contagious Interview got the name because, in previous attacks, the hackers attempted to infect software developers with malware through a fictitious job interview. 

Moonstone Sleet has targeted software companies and defense firms with custom ransomware variants and elaborate scams. 

The North Korean regime is known for stealing cryptocurrency and running scams to fund its sanctioned nuclear weapons program and other operations.

Phylum said the malicious packages posted to npm are named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.

“These attacks are characterized by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers,” the researchers said.

The hackers’ goals likely include “exfiltrating sensitive data from cryptocurrency wallet browser extensions while establishing persistence on the victim's machine.” 

“These adversaries continuously exploit the inherent trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or any other assets that could lead to illicit financial gains,” Phylum said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.