North Korea Still Attacking Developers via npm
2024-08-29 • Phylum •
https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/
Phylum reports a renewed August 2024 wave of North Korea-aligned npm activity aimed at developers, with packages including temp-etherscan-api, ethersscan-api, telegram-con, qq-console, helmet-validate, and sass-notification. The qq-console and related packages used multi-stage obfuscated JavaScript to download Python components and a Python interpreter, then searched cryptocurrency wallet browser extensions for sensitive data and established persistence. Helmet-validate contacted ipcheck.cloud, which resolved to the same IP address previously used by mirotalk.net in fake job campaigns tied to North Korean actors. Phylum links qq-console behavior to Contagious Interview and assesses sass-notification as consistent with Moonstone Sleet tradecraft using obfuscated JavaScript, batch and PowerShell scripts, DLL payload execution, and cleanup.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 95.164.17.24 | 2024-07-15 | 2026-04-01 |
| DOMAIN | mirotalk.net | 2024-07-15 | 2025-02-20 |
| IPv4 | 167.88.36.13 | 2024-08-29 | 2024-11-14 |
| HASH | f1f3002dec6e36e692e087626edd9b6… | 2024-08-29 | 2024-08-29 |
| HASH | d4f3113e1e0384bcf37c39678deb196… | 2024-08-29 | 2024-08-29 |
| HASH | 2a00838ccd08b26c7948d1dd25c33a1… | 2024-08-29 | 2024-08-29 |
| HASH | 0110318f70072171c0edc624c8e8be3… | 2024-08-29 | 2024-08-29 |
| HASH | f7c142178605102ee56f7e486ba68b9… | 2024-08-29 | 2024-08-29 |
| HASH | 5e5313aaf281c8a8eed29ba2c1aaa5a… | 2024-08-29 | 2024-08-29 |
| HASH | aec21b53ee4ae0b55f5018fc5aaa5a4… | 2024-08-29 | 2024-08-29 |
| HASH | 94da263d603bf735ab85f829b564261… | 2024-08-29 | 2024-08-29 |
| IPv4 | 45.61.158.14 | 2024-08-29 | 2024-08-29 |