Nation-State Threat Actors Renew Publications to npm
Contents
Nation-State Threat Actors Renew Publications to npm
Back in November of 2023, we published a blog post highlighting the technical details of a sophisticated attack in
npm attributed to North Korea. We subsequently published a follow-up in January of 2024 detailing the history of the attack and highlighting the broader context of North Korean APTs operating in open-source ecosystems. Since then, it’s been relatively quiet—until today. On 23 April 2024, Phylum’s automated risk detection platform flagged a few new publications belonging to this campaign, with a slight twist.
--cta--
The Attack Evolves
The npm user
nebourhoodopen-source published two packages
react-dom-production-script and
hardhat-daemon with a
preinstall hook in the
package.json immediately executing a file in the package:
"scripts": { "preinstall": "node deference.js", "test": "./node_modules/vows/bin/vows test/*.js --spec" }
Similar to earlier packages belonging to this campaign, the attackers used a
preinstall hook to gain arbitrary code execution upon installation. However, in the earlier versions, they executed a non-obfuscated JavsScript file and then immediately deleted it …
Back in November of 2023, we published a blog post highlighting the technical details of a sophisticated attack in
npm attributed to North Korea. We subsequently published a follow-up in January of 2024 detailing the history of the attack and highlighting the broader context of North Korean APTs operating in open-source ecosystems. Since then, it’s been relatively quiet—until today. On 23 April 2024, Phylum’s automated risk detection platform flagged a few new publications belonging to this campaign, with a slight twist.
--cta--
The Attack Evolves
The npm user
nebourhoodopen-source published two packages
react-dom-production-script and
hardhat-daemon with a
preinstall hook in the
package.json immediately executing a file in the package:
"scripts": { "preinstall": "node deference.js", "test": "./node_modules/vows/bin/vows test/*.js --spec" }
Similar to earlier packages belonging to this campaign, the attackers used a
preinstall hook to gain arbitrary code execution upon installation. However, in the earlier versions, they executed a non-obfuscated JavsScript file and then immediately deleted it …
IoC
http://matrixane.com
https://matrixane.com/download/download.asp?id=8931
https://matrixane.com/download/download.asp?id=8931