June's Sophisticated npm Attack Attributed to North Korea

In June 2023, Phylum made a significant discovery

In June 2023, Phylum was the first to uncover a series of suspicious npm publications that seemed to be part of a highly targeted attack.

The Identified Packages and Their Installation Sequence

The identified packages, which were published in pairs, needed to be installed in a specific order. This sequence allowed for the retrieval of a token that enabled the download of a final malicious payload from a remote server. A recent security alert from GitHub has publicly linked this cyber-attack—an incident they were investigating independently—to threat actors with strong connections to North Korean objectives.

The GitHub Security Alert: Insights from July 2023

On July 18, 2023, GitHub published a security alert on their blog. This alert provided additional insights into a recent attack, which they had been investigating in collaboration with npm, their subsidiary.

They described it as a low-volume social engineering campaign

They characterized it as a "low-volume social engineering campaign that targets the personal accounts of employees of technology firms." Furthermore, they stated the following: We assess with high confidence that this campaign is linked to a group that operates in support of North Korean objectives, referred to as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S.