Malicious npm Packages: North Korean Hackers Targeting Developers -

Recent discoveries by Phylum indicate that a series of counterfeit npm packages identified on the Node.js repository are associated with state-sponsored actors from North Korea.

Malicious npm Packages

The packages include execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils.

One of the packages, execution-time-async, disguises itself as its legitimate counterpart execution-time, which boasts over 27,000 weekly downloads. Execution-time is a Node.js utility utilized for measuring execution time in code.Describing the campaign as a software supply chain attack aimed at developers, Phylum revealed that the package “installs multiple malicious scripts, including a cryptocurrency and credential stealer.” Since February 4, 2024, the package was downloaded 302 times before being removed.

In an intriguing turn, the threat actors attempted to hide the obfuscated malicious code within a test file. This file is crafted to fetch next-stage payloads from a remote server, pilfer credentials from web browsers such as Brave, Google Chrome, and Opera, and retrieve a Python script. This Python script, in turn, downloads additional scripts.

~/.n2/pay, which can run arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even delete itself
~/.n2/bow, which is a Python-based browser password stealer
~/.n2/adc, which installs AnyDesk on Windows

Phylum stated that it discovered comments in the source code (“/Users/ninoacuna/”), enabling the tracking of a GitHub profile, now deleted, with the same name (“Nino Acuna” or binaryExDev). This profile contained a repository named File-Uploader.

The repository contained Python scripts that referenced the same IP addresses (162.218.114[.]83, later changed to 45.61.169[.]99) used to retrieve the previously mentioned Python scripts.

The attack is believed to be ongoing, with at least four additional packages featuring identical characteristics appearing on the npm package repository. These packages collectively garnered 325 downloads:

data-time-utils: 52 downloads since February 15
login-time-utils: 171 downloads since February 15
mongodb-connection-utils: 51 downloads since February 19
mongodb-execution-utils: 51 downloads since February 19

Phylum, analyzing the GitHub accounts followed by binaryExDev, uncovered another repository named mave-finance-org/auth-playground. This repository has been forked by at least a dozen other accounts.

While forking a repository is commonplace, certain aspects of some of these forked repositories were peculiar: they were renamed as “auth-demo” or “auth-challenge,” suggesting that the original repository might have been utilized as a coding test for a job interview.

Subsequently, the repository was relocated to banus-finance-org/auth-sandbox, Dexbanus-org/live-coding-sandbox, and mave-finance/next-assessment, indicating efforts to circumvent GitHub’s takedown attempts actively. All of these accounts have since been removed.

Furthermore, the next-assessment package was discovered to contain a dependency named “json-mock-config-server,” which is not listed on the npm registry but served directly from the domain npm.mave[.]finance.

It’s important to note that Banus claims to be a decentralized perpetual spot exchange based in Hong Kong, even posting a job opportunity for a senior frontend developer on February 21, 2024. However, it remains unclear whether this job opening is genuine or part of an elaborate social engineering scheme.

The links to North Korean threat actors arise from the fact that the obfuscated JavaScript embedded in the npm package overlaps with another JavaScript-based malware called BeaverTail, propagated via a similar mechanism. This campaign was codenamed “Contagious Interview” by Palo Alto Networks Unit 42 in November 2023.

Contrary to Operation Dream Job, associated with the Lazarus Group, Contagious Interview primarily targets developers through fake identities in freelance job portals, tricking them into installing rogue npm packages, as explained by Michael Sikorski, vice president and CTO of Palo Alto Networks Unit 42.

One developer victimized by the campaign has confirmed to Phylum that the repository is shared under the guise of a live coding interview, though they never installed it on their system.

“More than ever, it is important for both individual developers as well as software development organizations to remain vigilant against these attacks in open-source code,” emphasized the company.