Malicious North Korean packages appear again in open source code repository

North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research.

The cybersecurity firm Phylum, which specializes in monitoring the supply chains of open-source software, said it recently observed a renewed surge of activity on npm from North Korean groups tracked as Contagious Interview and Moonstone Sleet. The npm repository allows developers to publish and share JavaScript packages, libraries and tools.

According to previous reports, Contagious Interview got the name because, in previous attacks, the hackers attempted to infect software developers with malware through a fictitious job interview. 

Moonstone Sleet has targeted software companies and defense firms with custom ransomware variants and elaborate scams. 

The North Korean regime is known for stealing cryptocurrency and running scams to fund its sanctioned nuclear weapons program and other operations.

Phylum said the malicious packages posted to npm are named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.

“These attacks are characterized by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers,” the researchers said.

The hackers’ goals likely include “exfiltrating sensitive data from cryptocurrency wallet browser extensions while establishing persistence on the victim's machine.” 

“These adversaries continuously exploit the inherent trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or any other assets that could lead to illicit financial gains,” Phylum said.