GitHub warned of a new North Korean threat campaign designed to compromise victims via malicious npm package dependencies.
The development platform claimed in a blog post earlier this week that the attacks targeted employees in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors.
The attacks begin when threat actors pose as a developer or recruiter with a fake GitHub, LinkedIn, Slack, or Telegram profile, according to Alexis Wales, GitHub’s vice president of security operations. In some cases, the attacker can hijack legitimate accounts.
They then initiate contact with the target and try to move the conversation to another platform.
“After making contact with a target, the threat actor invites them to contribute to a GitHub repository and convinces them to clone and run its content,” Wales explained.
“The GitHub repository can be public or private. The GitHub repository contains software that includes malicious npm dependencies. Some software themes used by the threat actor include media players and cryptocurrency trading tools.”
These malicious dependencies act as first-stage malware designed to download a second-stage threat to the victim’s machine, although it is unclear exactly what it is.
GitHub stated with “high confidence” that the attackers belong to the North Korean group known as “Jade Sleet” by Microsoft Threat Intelligence and “TraderTraitor” by the US Cybersecurity and Infrastructure Security Agency (CISA).
In related news, an attack on SSO provider JumpCloud in late June has also been blamed on North Korea, according to SentinelOne.
Leave a comment