North Korean state-sponsored threat actors were observed inserting malicious packages into the npm registry in an attempt to infiltrate endpoints belonging to software developers.
This time, they were detected by cybersecurity researchers at Phylum, who claim that the ultimate goal of the campaign is to steal people's cryptocurrencies.
According to researchers, the attack began on August 12 this year. Several malicious npm packages were uploaded, including temp-etherscan-api and two versions of ethersscan-api. More than a week later, the criminals uploaded telegram-con and another version of ethersscan-api, and some time later, qq-console. There are likely even more packages out there.
InvisibleFerret and Lazarus
All of these npm packages are just one cog in a malicious campaign that researchers dubbed “Contagious Interview.” The criminals posed as a major software development company (either on web2 or web3) and pretended to offer a great job opportunity to victims. Sometimes, they communicated with them via LinkedIn, and sometimes via instant messaging platforms like Telegram.
The victims, usually software developers already working on blockchain-based solutions, were offered a great job with a significant pay increase and invited to a series of interviews. In one of those interviews, they were asked to download and open a PDF file, or in this case, an npm package.
These packages deploy a Python malware fragment called InvisibleFerret, capable of extracting sensitive data from cryptocurrency wallet browser extensions.
Although researchers never mention them by name, this is a method commonly employed by the North Korean state-sponsored group known as Lazarus.
Lazarus is one of the largest and most disruptive hacker collectives to emerge from North Korea. It is credited with some of the largest cryptocurrency heists in history, including the theft of over $600 million. The country is allegedly using the money to fund its state apparatus as well as its weapons program.
Through Hacker News
