North Korean hackers target developers with malicious npm packages

Malicious npm Packages

A series of fake npm packages discovered in the Node.js repository have been found to share ties with North Korean state-sponsored actors, according to new findings from the Phylum show.

The packages are called execute-time-async, data-time-utils, login-time-utils, mongodb-connection-utils and mongodb-execution-utils.

One of the packages in question, execution-time-asynchronouspretends to be his legitimate counterpart execution time, a library with more than 27,000 weekly downloads. Execution Time is a Node.js utility used to measure execution time in code.

It “basically installs several malicious scripts, including a cryptocurrency and credential thief,” Phylum said, which describes the campaign as a software supply chain attack targeting software developers. The package was Downloaded 302 times since February 4, 2024, before it was removed.


In an interesting twist, the threat actors have made attempts to hide the obfuscated malicious code in a test file, which is designed to retrieve the next stage of payloads from a remote server, steal credentials from web browsers such as Brave, Google Chrome and Opera, and fetch a Python script, which in turn downloads other scripts –

  • ~/.n2/pay, which can execute arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even uninstall itself
  • ~/.n2/bow, a Python-based browser password stealer
  • ~/.n2/adc, which installs AnyDesk on Windows

Phylum said it identified comments in the source code (“/Users/ninoacuna/”) that made it possible to track down a now-deleted GitHub profile of the same name (“Nino Acuna” or binaryExDev) with a repository called File -Uploader .

There were Python scripts in the repository that pointed to the same IP addresses (162.218.114[.]83 – later changed to 45.61.169[.]99) used to retrieve the above-mentioned Python scripts.

Malicious npm packages

The attack is suspected to be a work in progress as at least four additional packages with identical features have found their way into the npm package repository, generating a total of 325 downloads –

Connections develop with North Korean actors

Phylum, which also analyzed the two GitHub accounts that binaryExDev tracks, discovered another repository known as mave-finance-org/auth-playground, which has been forked by other accounts no less than a dozen times.

Malicious npm packages

While forking a repository in itself is not unusual, an unusual aspect of some of these forked repositories was that they were renamed “auth-demo” or “auth-challenge”, opening up the possibility of the original repository being shared as part of a coding test for a job interview.

The repository was later moved to banus-finance-org/auth-sandbox, Dexbanus-org/live-coding-sandbox, and mave-finance/next-assesment, indicating that attempts were made to actively circumvent GitHub’s takedown efforts. All these accounts have been deleted.


In addition, the package for the next review was found to contain a dependency “json-mock-config-server” which is not in the npm registry, but is served directly from the npm.mave domain[.]finance.

It is worth noting that Banus claims a decentralized perpetual spot exchange based in Hong Kong, where the company even has a job offer for a senior frontend developer on February 21, 2024. It is currently unclear whether this is a real job posting or if it is an extensive social engineering program.

The connections to North Korean threat actors stem from the fact that the obfuscated JavaScript embedded in the npm package overlaps with another JavaScript-based malware called BeaverTail that is distributed via npm packages. The campaign was codenamed Contagious Interview by Palo Alto Networks Unit 42 in November 2023.

Contagious Interview is a bit different from Operation Dream Job – which is linked to the Lazarus Group – in that it mainly focuses on targeting developers via fake identities in freelance job portals to trick them into installing rogue npm packages, Michael Sikorski, vice president and CTO of Palo Alto Networks Unit 42, told The Hacker News at the time.

One of the developers who fell victim to the campaign has since confirmed to Phylum that the repository is being shared under the guise of a live coding interview, although they said they never installed it on their system.

“More than ever, it is important for both individual developers and software development organizations to remain vigilant against these attacks in open source code,” the company said.

#North #Korean #hackers #target #developers #malicious #npm #packages

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Zarejestruj sie na Binance
Zarejestruj sie na Binance
1 day ago

I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.

Previous Post
New IDAT Loader attacks using steganography to implement Remcos RAT

New IDAT Loader attacks using steganography to implement Remcos RAT

Next Post
AI Accidents

Three tips to protect your secrets from AI mishaps

Related Posts