North Korea Still Attacking Developers via npm

NetmanageIT OpenCTI - opencti.netmanageit.com

North Korea Still Attacking Developers via npm



SUMMARY :

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloads additional components, including Python scripts and interpreters, to exfiltrate sensitive data from cryptocurrency wallets and establish persistence. Some packages use different approaches, such as directly evaluating JavaScript from remote endpoints or executing batch and PowerShell scripts to deploy and conceal malware. This coordinated effort exploits the trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or other valuable assets.

OPENCTI LABELS :

malware,obfuscation,javascript,cryptocurrency,python,exfiltration,persistence,moonstone sleet,npm,contagious interview,multi-stage attack


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


North Korea Still Attacking Developers via npm