North Korea threats on npm software supply chain with malicious packages
North Korean state-sponsored threat actors have been carrying out increasingly sophisticated supply chain attacks aimed at infiltrating target organizations. By compromising popular open source packages and repositories, they undermine the inherent trust within the developer community to distribute malware.
Recent investigations uncovered an attack affecting the
npm package registry, which exploited the
preinstall script in
package.json files to fetch and execute a remote payload. Further analysis linked this activity to the notorious North Korean Lazarus cybercrime group. The attack indicates North Korea’s persisting efforts to evolve its cyber warfare capabilities by targeting software supply chains.
This supply chain attack leveraged various techniques including open source package poisoning through trusted repositories like GitHub and direct exploitation of package managers like
npm. After gaining an initial foothold, the threat actors employed multi-stage malicious scripts and processes to eventually fetch and activate remote payloads, covering their tracks.
During the roughly 5 hours the corrupted code was live, around $600k was stolen before Ledger’s security squad rolled out version 1.1.8 to plug the hole. So while the attack stung, it could have been far more damaging.
The Ledger connect-kit incident is what happens when you don’t have internal security practices: threat modeling, secure code review and security champions are some that would have helped prevent this dire web3 malware.
Even within the short-time frame in which the malicious versions of Ledger’s