Monday, July 22, 2024

New North Korean Actor Distributing Malicious npm Packages To Compromise Organizations

Early in 2024, North Korean threat actors persisted in using the public npm registry to disseminate malicious packages that were similar to those that Jade Sleet had previously used. 

Initially thought to be an extension of Sleet’s activity, further investigation revealed a new threat actor targeting the open-source ecosystem through the npm registry, highlighting the ongoing risk posed by North Korean actors despite heightened awareness within the security community. 


A new North Korean threat actor, Moonstone Sleet, leverages the open-source software supply chain vulnerability by distributing malware through malicious packages on the public npm registry.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

This tactic, which is comparable to that of other North Korean actors like Jade Sleet, exposes developers to potential compromise and emphasizes the ongoing threat that state-sponsored actors pose to the integrity of the open-source ecosystem. 

Microsoft has identified a new North Korean threat actor, Moonstone Sleet, that uses various tactics (TTPs) for financial gain and espionage, which overlap with other North Korean actors but also include unique methods. 

Malicious Payload Execution 

Similar to techniques reported by Phylum, Moonstone Sleet distributes malicious npm packages through both targeted freelancing platforms and the public npm registry, which expands their reach and increases the chance of unsuspecting developers installing their malware.  

An analysis of malicious npm packages by Checkmarx reveals distinct code styles between those linked to Jade Sleet (Spring/Summer 2023) and Moonstone Sleet (Late 2023/Early 2024), while Jade Sleet’s packages employed a two-part strategy to evade detection. 

The first, published under a separate account, created a directory and fetched updates from a remote server, establishing the infrastructure for the second package, likely containing the malicious payload, to execute on the compromised machine. 

code of the first package in the pair 

The second package in the pair acts as a downloader and executor, which retrieves a token from a file created by the first package and uses it to download malicious code from a specific URL, which is then written to a new file on the victim’s machine and executed as a Node.js script, unleashing its malicious functionality. 

Code of second package in pair 

The two-package approach is a shift from the single-package method used in late 2023 and early 2024, where the payload was directly encoded and executed upon installation.

The attackers seem to be refining their technique by using a separate downloader to potentially evade detection while maintaining the core malicious functionality.  

Attackers are using malicious open-source packages to deliver payloads, which download a file, decrypt it using a simple XOR, rename it, and execute it via rundll32 on Windows. 

To evade detection, the package self-cleans by deleting temporary files and replacing its malicious code with a clean version, while the attack evolved in Q2 2024, with packages becoming more complex, using obfuscation, and targeting Linux systems as well.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles