New North Korean Actor Distributing Malicious npm Packages To Compromise Organizations

Early in 2024, North Korean threat actors persisted in using the public npm registry to disseminate malicious packages that were similar to those that Jade Sleet had previously used. 

Initially thought to be an extension of Sleet’s activity, further investigation revealed a new threat actor targeting the open-source ecosystem through the npm registry, highlighting the ongoing risk posed by North Korean actors despite heightened awareness within the security community. 

A new North Korean threat actor, Moonstone Sleet, leverages the open-source software supply chain vulnerability by distributing malware through malicious packages on the public npm registry.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

This tactic, which is comparable to that of other North Korean actors like Jade Sleet, exposes developers to potential compromise and emphasizes the ongoing threat that state-sponsored actors pose to the integrity of the open-source ecosystem. 

Microsoft has identified a new North Korean threat actor, Moonstone Sleet, that uses various tactics (TTPs) for financial gain and espionage, which overlap with other North Korean actors but also include unique methods. 

Similar to techniques reported by Phylum, Moonstone Sleet distributes malicious npm packages through both targeted freelancing platforms and the public npm registry, which expands their reach and increases the chance of unsuspecting developers installing their malware.  

An analysis of malicious npm packages by Checkmarx reveals distinct code styles between those linked to Jade Sleet (Spring/Summer 2023) and Moonstone Sleet (Late 2023/Early 2024), while Jade Sleet’s packages employed a two-part strategy to evade detection. 

The first, published under a separate account, created a directory and fetched updates from a remote server, establishing the infrastructure for the second package, likely containing the malicious payload, to execute on the compromised machine. 

The second package in the pair acts as a downloader and executor, which retrieves a token from a file created by the first package and uses it to download malicious code from a specific URL, which is then written to a new file on the victim’s machine and executed as a Node.js script, unleashing its malicious functionality. 

The two-package approach is a shift from the single-package method used in late 2023 and early 2024, where the payload was directly encoded and executed upon installation.

The attackers seem to be refining their technique by using a separate downloader to potentially evade detection while maintaining the core malicious functionality.  

Attackers are using malicious open-source packages to deliver payloads, which download a file, decrypt it using a simple XOR, rename it, and execute it via rundll32 on Windows. 

To evade detection, the package self-cleans by deleting temporary files and replacing its malicious code with a clean version, while the attack evolved in Q2 2024, with packages becoming more complex, using obfuscation, and targeting Linux systems as well.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free