North Korean-Linked Threat Actor Targets Developers with New npm Infostealer RAT
Contents
Breaking News: OX Security has identified a malicious npm package containing keylogger, infostealer, and RAT behavior. We have traced the threat actor behind it to previously documented North Korean (DPRK) campaigns.
The package, ‘terminal-logger-utils,’ targets Telegram data, SSH keys, crypto wallets, cloud configurations (AWS, GCP, Azure), environment variables, and more. Three dependent packages import it and trigger the malicious behavior when installed: pretty-logger-utils, ts-logger-pack, and pinno-loggers.
The threat actor behind the upload – jpeek895 – was previously reported on kmsec.uk for uploading a similar npm package linked to DPRK activity.
Source: https://dprk-research.kmsec.uk/
npm users that uploaded the dependent packages:
- pvnd3540749
- yggedd817513
- jpeek886
Recommended Actions
Immediate Actions:
- Remove the malware from the infected machine
- Check for network requests to the IoCs
- Perform key rotation and add 2FA
Technical Analysis
The malware uses a postinstall hook inside the package.json file that opens utils.cjs.
utils.cjs is an obfuscated malware dropper that checks the current system and downloads the appropriate binary.
The malware’s hosting …
The package, ‘terminal-logger-utils,’ targets Telegram data, SSH keys, crypto wallets, cloud configurations (AWS, GCP, Azure), environment variables, and more. Three dependent packages import it and trigger the malicious behavior when installed: pretty-logger-utils, ts-logger-pack, and pinno-loggers.
The threat actor behind the upload – jpeek895 – was previously reported on kmsec.uk for uploading a similar npm package linked to DPRK activity.
Source: https://dprk-research.kmsec.uk/
npm users that uploaded the dependent packages:
- pvnd3540749
- yggedd817513
- jpeek886
Recommended Actions
Immediate Actions:
- Remove the malware from the infected machine
- Check for network requests to the IoCs
- Perform key rotation and add 2FA
Technical Analysis
The malware uses a postinstall hook inside the package.json file that opens utils.cjs.
utils.cjs is an obfuscated malware dropper that checks the current system and downloads the appropriate binary.
The malware’s hosting …
IoC
https://dprk-research.kmsec.uk/