Everyday is lazarus.dayβ

Update to November’s Crypto-Themed npm Attack

2024-01-05, Phylum
#SupplyChain #NPM


Update to November’s Crypto-Themed npm Attack
Back in November, we published a write-up about a collection of npm packages involved in a complex attack chain. These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files. This left the package directory in a seemingly benign state after installation.
Since that initial report, we have identified nearly two dozen additional packages belonging to this still active campaign. Additionally, the QiAnXin Threat Intelligence Center released a detailed analysis of the binary involved in this campaign, conclusively linking it to a North Korean APT. With this revelation, and given that the package names were crypto-themed, it becomes increasingly apparent that the campaign’s ultimate objective was likely twofold: first, to gain persistent access to the systems of developers who installed these packages, and second, to leverage this access to …