Saturday, January 25, 2025
HomeCVE/vulnerabilityNew North Korean Actor Distributing Malicious npm Packages To Compromise Organizations

New North Korean Actor Distributing Malicious npm Packages To Compromise Organizations

Published on

SIEM as a Service

Follow Us on Google News

Early in 2024, North Korean threat actors persisted in using the public npm registry to disseminate malicious packages that were similar to those that Jade Sleet had previously used. 

Initially thought to be an extension of Sleet’s activity, further investigation revealed a new threat actor targeting the open-source ecosystem through the npm registry, highlighting the ongoing risk posed by North Korean actors despite heightened awareness within the security community. 

Timeline

A new North Korean threat actor, Moonstone Sleet, leverages the open-source software supply chain vulnerability by distributing malware through malicious packages on the public npm registry.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

This tactic, which is comparable to that of other North Korean actors like Jade Sleet, exposes developers to potential compromise and emphasizes the ongoing threat that state-sponsored actors pose to the integrity of the open-source ecosystem. 

Microsoft has identified a new North Korean threat actor, Moonstone Sleet, that uses various tactics (TTPs) for financial gain and espionage, which overlap with other North Korean actors but also include unique methods. 

Malicious Payload Execution 

Similar to techniques reported by Phylum, Moonstone Sleet distributes malicious npm packages through both targeted freelancing platforms and the public npm registry, which expands their reach and increases the chance of unsuspecting developers installing their malware.  

An analysis of malicious npm packages by Checkmarx reveals distinct code styles between those linked to Jade Sleet (Spring/Summer 2023) and Moonstone Sleet (Late 2023/Early 2024), while Jade Sleet’s packages employed a two-part strategy to evade detection. 

The first, published under a separate account, created a directory and fetched updates from a remote server, establishing the infrastructure for the second package, likely containing the malicious payload, to execute on the compromised machine. 

code of the first package in the pair 

The second package in the pair acts as a downloader and executor, which retrieves a token from a file created by the first package and uses it to download malicious code from a specific URL, which is then written to a new file on the victim’s machine and executed as a Node.js script, unleashing its malicious functionality. 

Code of second package in pair 

The two-package approach is a shift from the single-package method used in late 2023 and early 2024, where the payload was directly encoded and executed upon installation.

The attackers seem to be refining their technique by using a separate downloader to potentially evade detection while maintaining the core malicious functionality.  

Attackers are using malicious open-source packages to deliver payloads, which download a file, decrypt it using a simple XOR, rename it, and execute it via rundll32 on Windows. 

To evade detection, the package self-cleans by deleting temporary files and replacing its malicious code with a clean version, while the attack evolved in Q2 2024, with packages becoming more complex, using obfuscation, and targeting Linux systems as well.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...