Security experts at Phylum have uncovered a complex cyber campaign involving npm packages, which has been active since November. These packages, when installed, trigger a series of covert operations including downloading remote files, executing functions, and then carefully erasing evidence of their activities. This leaves the package directories appearing harmless, effectively concealing the malicious actions that have taken place. Further investigation has identified nearly two dozen more packages linked to this ongoing campaign, which is believed to be orchestrated by a North Korean APT group, namely Lazarus.
This campaign, characterized by crypto-themed package names, is designed to establish persistent access to the systems of developers installing these packages and, by extension, to penetrate the larger organizations they are part of, particularly in the cryptocurrency sector. The dual objective of this operation, as identified by Recorded Future, is to amass substantial cryptocurrency assets and evade the stringent international sanctions on North Korea. Since 2017, the North Korean APT has allegedly stolen around $3 billion in cryptocurrency, underlining the significant impact of these thefts on the nation’s economy and military funding.
According to another report by SecurityWeek from mid-2023, North Korean APTs were caught hacking security researchers. This operation involved the use of rigged software and exploitation of zero-day vulnerabilities. Google’s Threat Analysis Group (TAG) intercepted an active North Korean APT actor targeting security researchers using social media platforms and encrypted messaging apps. The attackers established trust through prolonged interactions and then sent malicious files containing zero-day exploits to take control of the researchers’ computers.
These incidents highlight a worrying trend of North Korean APTs targeting individuals and organizations that contribute to cyber defense capabilities. The use of zero-day vulnerabilities, which are unknown to software vendors and have no available patches, indicates the high level of sophistication and resources available to these threat actors.