In June 2023, Phylum was the first to unearth a series of suspicious npm publications belonging to what appeared to be a highly targeted attack. The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload
They’re often supported by external resources, like China. There isn’t really a community inside of North Korea to draw from like you’d expect in some more established countries.
In this case the attackers are targeting technologists and convincing them to collaborate on a git repository somewhere. That git repo includes dependencies that are hosted on npm, and require a specific order of installation to trigger the malicious behavior.
When the unwitting dev installs thaw deps for the git reo, they receive the malicious payload as well.
They’re often supported by external resources, like China. There isn’t really a community inside of North Korea to draw from like you’d expect in some more established countries.
In this case the attackers are targeting technologists and convincing them to collaborate on a git repository somewhere. That git repo includes dependencies that are hosted on npm, and require a specific order of installation to trigger the malicious behavior.
When the unwitting dev installs thaw deps for the git reo, they receive the malicious payload as well.