A number of fake npm packages discovered in the Node.js repository have been found to share ties to North Korean state-sponsored actors, new findings from Phylum show.
The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils.
One of the packages in question, execution-time-async, masquerades as its legitimate counterpart execution-time, a library with over 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code.
“It actually installs several malicious scripts including a cryptocurrency and a credential thief,” Phylum said, describing the campaign as a software supply chain attack targeting software developers. The package was downloaded 302 times since February 4, 2024 before it was removed.
In an interesting twist, threat actors attempted to hide obfuscated malicious code in a test file, designed to retrieve next-stage payloads from a remote server, steal credentials from web browsers such as Brave, Google Chrome, and Opera, and recover a Python script, which, in turn, downloads other scripts –
- ~/.n2/pay, which can execute arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even delete itself
- ~/.n2/bow, which is a Python-based browser password stealer
- ~/.n2/adc, which installs AnyDesk on Windows
Phylum said it identified comments in the source code (“/Users/ninoacuna/”) that allowed it to track down a now-deleted GitHub profile of the same name (“Nino Acuna” or BinaryExDev) containing a repository called File-Uploader. .
Within the repository there were Python scripts that referenced the same IP addresses (162.218.114[.]83 – subsequently modified to 45.61.169[.]99) used to retrieve the aforementioned Python scripts.
The attack is suspected to be a work in progress, as at least four other packages with identical characteristics have made it to the npm package repository, attracting a total of 325 downloads –
Links to North Korean actors emerge
Phylum, which also analyzed the two GitHub accounts tracked by BinaryExDev, discovered another repository known as mave-finance-org/auth-playground, which has been forked no fewer than a dozen times by other accounts.
While forking a repository itself is not unusual, one unusual aspect of some of these repositories is that they have been renamed as “auth-demo” or “auth-challenge”, raising the possibility that the original repository may have been shared as part of a coding test for a job interview.
The repository was subsequently moved to banus-finance-org/auth-sandbox, Dexbanus-org/live-coding-sandbox, and mave-finance/next-assessment, indicating attempts to actively bypass GitHub’s takedown attempts. All these accounts have been removed.
Additionally, the next-assessment package was discovered to contain a “json-mock-config-server” dependency that is not listed in the npm registry, but rather served directly from the npm.mave domain[.]finance.
It is worth noting that Banus claims to be a decentralized perpetual spot exchange based in Hong Kong, with the company even posting a job opportunity for a senior frontend developer on February 21, 2024. It is currently unclear whether this is a real job opening or whether it is an elaborate scheme of social engineering.
The links to North Korean threat actors stem from the fact that the obfuscated JavaScript embedded in the npm package overlaps with another JavaScript-based malware called BeaverTail that is propagated via npm packages. The campaign was codenamed Contagious Interview by Palo Alto Networks Unit 42 in November 2023.
Contagious Interview is a little different from Operation Dream Job – which is linked to the Lazarus Group – in that it focuses primarily on targeting developers through fake identities on freelance job portals to trick them into installing unauthorized npm packages, Michael Sikorski, vice president and CTO of Palo Alto Networks’ Unit 42, he told The Hacker News at the time.
One of the developers who fell victim to the campaign later confirmed to Phylum that the repository is shared under the guise of a real-time coding interview, although he said he never installed it on his system.
“More than ever, it is important for both individual developers and software development organizations to remain vigilant against these attacks on open source code,” the company said.