Introduction

In October 2024 [5], the Tenacious Pungsan group executed a sophisticated supply chain attack on the npm ecosystem [2], targeting developers by publishing malicious packages that mimicked legitimate software. This attack is part of a broader North Korean campaign known as Contagious Interview, which has been active since 2023 and focuses on the US tech industry.

Description

In October 2024 [5], the Tenacious Pungsan group executed a supply chain attack on the npm ecosystem by publishing three malicious packages that mimicked legitimate software [2]. These packages [2] [3], identified as passports-js (a backdoored version of the popular passport authentication framework with 118 downloads), bcrypts-js (a backdoored version of bcryptjs with 81 downloads) [4], and blockscan-api (a backdoored version of etherscan-api with 124 downloads) [4], were associated with a North Korean campaign known as Contagious Interview [4]. This ongoing campaign [1], active since 2023, targets job-seekers in the US tech industry [3], with North Korean threat actors posing as job recruiters to socially engineer developers into installing backdoored software packages.

The Datadog Security Research team is tracking this activity under the names Tenacious Pungsan [4], CL-STA-0240 [4], and Famous Chollima [4]. In total [1], the identified packages accumulated 323 downloads before being removed from the registry. The attackers employed sophisticated code obfuscation techniques to conceal the malware [1], utilizing random identifiers [1], removing code formatting [1], and incorporating nonstandard text encodings or encryption [1]. The malware, known as BeaverTail [5], functions as a JavaScript downloader and information stealer [4] [5], specifically targeting cryptocurrency wallets [1] [2], credit card information [1] [3], login keychains [1] [2] [3], and browser caches on both Unix and Windows systems [3]. It exfiltrates sensitive data [2] [5], including browser history and personal identification data [5], to attacker-controlled command-and-control servers [2].

Additionally, the attack involved namesquatting [2] [3], where malicious packages were created with names similar to trusted software [2], leading developers to mistakenly download them [2]. Evidence suggests that BeaverTail reuses infrastructure from earlier DPRK-linked operations, including the use of InvisibleFerret [2], a second-stage backdoor downloaded by BeaverTail [2], which utilized predefined URLs containing campaign IDs to trace the campaign back to previous operations [2]. The exploitation of open-source supply chains by these threat actors poses significant risks to downstream users [2], highlighting the ongoing tactic of copying and backdooring legitimate npm packages within this ecosystem [2]. Two distinct campaign IDs were noted [3], indicating new efforts to target Node.js developers [3], further emphasizing the persistent threat posed by these actors. Developers are urged to prioritize security and adopt best practices to mitigate the risks associated with these threats [5], as the increase in cyberattacks targeting software dependencies underscores the dangers posed by such malicious packages [5].

Conclusion

The Tenacious Pungsan group’s attack on the npm ecosystem underscores the significant risks posed by supply chain vulnerabilities, particularly in open-source environments. The use of sophisticated obfuscation techniques and infrastructure reuse highlights the evolving nature of cyber threats. To mitigate these risks [5], developers must prioritize security by adopting best practices [5], such as verifying package authenticity and maintaining updated security protocols. The persistent threat from North Korean actors necessitates ongoing vigilance and proactive measures to safeguard software dependencies and protect sensitive data from future attacks.

References

[1] https://www.govinfosecurity.com/north-korean-hackers-spreading-malware-via-fake-interviews-a-26639
[2] https://www.hendryadrian.com/north-korean-cyber-espionage-group-tenacious-pungsan-compromises-open-source-repositories-with-backdoored-npm-packages/
[3] https://blog.netmanageit.com/tenacious-pungsan-a-dprk-threat-actor-linked-to-contagious-interview/
[4] https://thehackernews.com/2024/10/beavertail-malware-resurfaces-in.html
[5] https://krofeksecurity.com/beavertail-malware-strikes-beware-malicious-npm-packages-targeting-developers/