387 reports
North Korean APT activity in May 2026 emphasized developer and software-supply-chain abuse: Lazarus weaponized Git Hooks and Jenkins CI/CD workflows to spread InvisibleFerret, BeaverTail, and FCCCall, raising risks to developer credentials and cryptocurre…
ESRC found that the malicious npm package chai-as-init, distributed in versions 1.4.5 through 1.4.7, impersonated a Chai.js plugin while hiding malicious code in only two files copied into a mostly legitimate-looking pino package tree. Loading the package…
A spear-phishing email impersonating Bithumb reportedly led to malware infection on a Humanity Protocol director's Windows laptop, exposing MetaMask data and production signer keys in activity Quantstamp said was characteristic of DPRK intrusions. With th…
Nisos identified a DPRK state-sponsored employment fraud cell that submitted more than 170,000 job applications to US companies between December 2024 and September 2025, producing 76 employment offers across 22 operatives. The operation used appropriated …
North Korea-linked activity in AhnLab's May 2026 APT trend report centered on developer and software-supply-chain intrusion paths. Lazarus abused Git hooks and Jenkins CI/CD workflows to trigger InvisibleFerret, BeaverTail, and FCCCall infections aimed at…
A developer-targeted LinkedIn recruiting lure sent the author to a public GitHub repository containing a hidden Node.js backdoor. The malicious code in `app/test/index.js` assembled `https://rest-icon-handler.store/icons/77` and was designed to execute wh…
North Korean IT-worker operators used stolen identities from Bosnia and Serbia to create freelance profiles on platforms such as Guru and GoLance, seeking work with Western companies while hiding their true origin. The activity is tied in an MSMT sanction…
APT37 used Microsoft-themed spear phishing to deliver a ZIP archive containing a malicious LNK file that launched a PowerShell and batch-based infection chain. The chain installed an official embedded Python runtime, executed compiled Python bytecode disg…
APT37-linked operators used Microsoft account security-themed spear phishing against Korean users to deliver NarwhalRAT through a ZIP-contained malicious LNK, obfuscated BAT scripts, copied curl execution, and a Python embedded runtime. The malware chain …
Quantstamp attributed the June 8 $H token compromise to tooling and methods characteristic of DPRK hackers. The attacker used stolen director keys to upgrade an Ethereum contract, move about 141.18 million $H, seize a BSC ProxyAdmin contract, and mint new…
DEVIL MARLBORO, also called MARLBORO Group, advertised an alleged 419 GB intelligence package tied to North Korea, Kimsuky, and Lazarus Group, claiming it contains offensive tool source code, vulnerabilities, backdoor and rootkit components, digital certi…
A malicious PR against Egonex-AI/Understand-Anything hid an obfuscated loader inside `homepage/astro.config.mjs`, causing `astro build`, `astro dev`, or `astro preview` to execute the payload on developer and CI systems. The loader restored `require` in a…
The episode describes infrastructure positioned to proxy Google services as part of the identity layer around a DPRK-linked developer compromise campaign. The source is careful about scope: it does not claim Google, a certificate authority, or the deliver…
A phishing email impersonating Bithumb led Humanity Protocol director Chong Yee Wai to download a malicious attachment from an attacker-controlled host, after which a Hancom-signed loader and remote-access tooling gave the attacker control of his Windows …
Google Docs lures tied to FAMOUS CHOLLIMA show how the DPRK-nexus actor advertises fake jobs, targets developers with malicious interview tasks, and recruits proxy interview facilitators. The research pivots on Google Docs titles, resource hashes, outgoin…