A sophisticated North Korean cyber campaign has resurfaced, deploying twelve malicious NPM packages to infiltrate developer systems and steal cryptocurrency.
The attack exploits supply chain trust in open-source repositories, with threat actors posing as interviewers who instruct developers to install infected packages during coding tests. Once installed, the malware a Beavertail variant scans for crypto wallets, browser extensions, and sensitive files across Windows, macOS, and Linux, using advanced obfuscation to evade detection.
Security firm Veracode first flagged four packages cloud-binary, json-cookie-csv, cloudmedia, and nodemailer-enhancer before uncovering eight more. The latest strain, identified as version 3, uses a ~/.n3 directory (up from ~/.n2 in earlier versions) and employs AES-256-CBC encryption with unique keys per variant.
The infection begins with postinstall hooks that trigger hidden scripts (e.g., lib/utils/analytics/node_modules/file15.js) to decrypt and execute malicious payloads. The malware maintains persistence, communicates with multiple C2 servers over port 1224, and supports real-time commands via WebSocket and HTTP.
It can also download additional Python scripts, exfiltrating cryptocurrency data to attacker-controlled servers. Analysts warn the campaign is actively evolving, making it a serious and ongoing threat to developers and digital asset holders.This latest North Korean supply chain campaign underscores the growing risk to developers working with open-source ecosystems. By exploiting trust in NPM packages and blending social engineering with technical sophistication, the attackers bypass traditional security measures and directly target valuable crypto assets. Developers must adopt zero-trust principles, verify third-party code, and actively monitor dependencies to reduce exposure. In today’s threat landscape, even a routine coding task can become a high-stakes security risk.
Source link — https://cybersecuritynews.com/north-korean-hackers-weaponizing-npm-packages/
#CyberSecurity #SupplyChainAttack #NorthKoreanHackers #NPM #CryptoSecurity #DeveloperSecurity #OpenSourceRisks #Malware #Beavertail #ThreatIntelligence #DigitalAssets #CyberThreats #InfoSec #BlockchainSecurity #ZeroTrust
