2024-08-24 • Hackhunting •
A July 2024 software supply-chain roundup notes that North Korean threat actors published multiple malicious npm packages targeting developers, with activity reportedly continuing for about a year. Some of the npm packages mimicked trusted or popular packages while adding malicious functionality, placing developer environments and downstream open-source users at risk. The same source lists related IOCs, including package names resembling AliCloud, Tencent Cloud, and Python SDK tooling, plus command-and-control URLs and infrastructure. The DPRK-relevant section matters because it shows North Korean operators continuing to abuse public package ecosystems as an access vector into developer workflows.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 142.111.77.196 | 2024-08-01 | 2025-10-20 |
| DOMAIN | cryptocopedia.com | 2024-07-08 | 2025-05-16 |
| [email protected] | 2024-08-24 | 2024-08-24 | |
| URL | https://rentry.co/2p7kv9d8/raw | 2024-08-24 | 2024-08-24 |
| URL | https://rentry.co/foyntbdk/raw | 2024-08-24 | 2024-08-24 |
| URL | https://ipfs.io/ipfs/QmQcn1grVA… | 2024-08-24 | 2024-08-24 |
| URL | https://rentry.co/xcsshmno/raw | 2024-08-24 | 2024-08-24 |
| URL | Https://ipfs.io/ipfs/QmQcn1grVA… | 2024-08-24 | 2024-08-24 |
| URL | https://rentry.co/7hnvbc6n/raw | 2024-08-24 | 2024-08-24 |
| URL | https://api.aliyun-sdk-requests… | 2024-08-24 | 2024-08-24 |
| URL | https://api.aliyun-sdk-requests… | 2024-08-24 | 2024-08-24 |
| URL | https://api.aliyun-sdk-requests… | 2024-08-24 | 2024-08-24 |
| DOMAIN | tg.aliyun-sdk-requests.xyz | 2024-08-24 | 2024-08-24 |
| DOMAIN | europe-west2-workload-422915.cl… | 2024-08-24 | 2024-08-24 |
| DOMAIN | api.aliyun-sdk-requests.xyz | 2024-08-24 | 2024-08-24 |
| IPv4 | 147.45.44.114 | 2024-08-24 | 2024-08-24 |
| IPv4 | 119.8.26.163 | 2024-08-24 | 2024-08-24 |
| URL | https://cryptocopedia.com/explo… | 2024-07-08 | 2024-08-24 |