Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloads additional components, including Python scripts and interpreters, to exfiltrate sensitive data from cryptocurrency wallets and establish persistence. Some packages use different approaches, such as directly evaluating JavaScript from remote endpoints or executing batch and PowerShell scripts to deploy and conceal malware. This coordinated effort exploits the trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or other valuable assets. Author: AlienVault
Related Tags:
Moonstone Sleet
exfiltration
T1059.007
Obfuscation
contagious interview
T1059.001
T1555
npm
T1059.003
Associated Indicators:
AEC21B53EE4AE0B55F5018FC5AAA5A4F095A239A64272CA42047C40EC3C212C0
5E5313AAF281C8A8EED29BA2C1AAA5AA65BC174BCD0BE466F4533712599DB758
D4F3113E1E0384BCF37C39678DEB196FB5B39F15C4990134B6B8637BE74E5A2E
2A00838CCD08B26C7948D1DD25C33A114DD81C3BCEE3DE595783E6F396E7F50E
94DA263D603BF735AB85F829B564261E59A1D13915D21BABE58E72435BFE32AB
F7C142178605102EE56F7E486BA68B97F3F6B522994B24F4116DBBD2ABC28CEC
95.164.17.24
167.88.36.13