Skip to content Skip to footer

North Korean hackers are focusing on developers by using harmful npm packages.

Cybersecurity firm Phylum has discovered a set of fake packages on the Node.js repository that are linked to North Korean state-sponsored actors. The packages, namely execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils, are part of a software supply chain attack that targets developers, according to Phylum's findings. Of the packages, execution-time-async pretends to be its legitimate counterpart, execution-time, which has over 27,000 weekly downloads. Execution time is a Node.js tool that measures execution time in code. However, the fake package has malicious scripts, including a cryptocurrency and credential stealer. The package was downloaded 302 times since February 4, 2024, before being taken down.

The threat actors hid the obfuscated malicious code by embedding it in a test file. The file is designed to fetch next-stage payloads from a remote server, steal credentials from web browsers like Brave, Google Chrome, and Opera, and retrieve a Python script. The Python script then downloads other scripts, including ~/.n2/pay, which can run arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even delete itself. The other scripts are ~/.n2/bow, a Python-based browser password stealer, and ~/.n2/adc, which installs AnyDesk on Windows.

Phylum's investigation identified comments in the source code (“/users/ninoacuna/”) that helped track down a now-deleted profile with the same name (“Nino Acuna” or binaryExDev). This profile contained a repository called File-Uploader, which had Python scripts referencing the same IP addresses (162.218.114[.]83 – subsequently changed to 45.61.169[.]99) used to fetch the Python above scripts.

The attack is suspected to be in progress, as at least four more packages with identical features have made their way to the package repository, attracting 325 downloads. These packages include data-time-utils (52 downloads starting from February 15), login-time-utils (171 downloads beginning from February 15), MongoDB-connection-utils (51 downloads starting from February 19), and MongoDB-execution-utils (51 downloads beginning from February 19). Phylum also analyzed the two accounts that binaryExDev followed and uncovered another repository known as move-finance-org/auth-playground, which has been forked at least a dozen times by other accounts.

While forking a repository is not unusual, some forked repositories were renamed as “auth-demo” or “auth-challenge,” which raises the possibility that the original repository may have been shared as part of a test for a job interview. The repository was later moved to banus-finance-org/auth-sandbox, Dexbanus-org/live--sandbox, and mave-finance/next-assessment, indicating attempts to get around 's takedown attempts actively. All these accounts have been removed.

Moreover, the following assessment package contained a dependency “json-mock-config-server” that is not listed on the registry. Still, it served directly from the domain npm.mave[.]finance. It is worth noting that Banus claims to be a decentralized perpetual spot exchange based in Hong Kong, with the company even posting a job opportunity for a senior front-end developer on February 21, 2024. Whether this is a genuine job opening or an elaborate social engineering scheme must be determined.

The connection to North Korean threat actors comes from the fact that the obfuscated JavaScript embedded in the npm package overlaps with another JavaScript-based called BeaverTail. The campaign behind BeaverTail is known as Contagious Interview and was identified by Palo Alto Networks Unit 42 in November 2023. Contagious Interview is different from Operation Dream Job, linked to the Lazarus Group, in that it mainly focuses on targeting developers through fake identities in freelance job portals to trick them into installing rogue npm packages. Michael Sikorski, vice president and CTO of Palo Alto Networks Unit 42, told The Hacker News that one of the developers who fell victim to the campaign has confirmed to Phylum that the repository was shared under the guise of a live interview. However, they said they never installed it on their system.

Phylum advises individual developers and software development organizations to remain vigilant against these attacks in open-source code.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Look, you wanna be elite? You have to do a righteous hack.Phreak

Deitasoft © 2024. All Rights Reserved.