North Korea Still Attacking Developers via npm

Description

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloads additional components, including Python scripts and interpreters, to exfiltrate sensitive data from cryptocurrency wallets and establish persistence. Some packages use different approaches, such as directly evaluating JavaScript from remote endpoints or executing batch and PowerShell scripts to deploy and conceal malware. This coordinated effort exploits the trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or other valuable assets.