North Korean cybercriminals are exploiting NPM packages to pilfer cryptocurrency and confidential information.

A sophisticated North Korean cryptocurrency theft campaign has resurfaced, utilising twelve malicious NPM packages to target developers and steal digital assets. This campaign marks a significant escalation in supply chain attacks, exploiting the trust developers place in open-source package repositories to distribute advanced malware capable of cross-platform data exfiltration. The attackers employ a cunning social engineering strategy, targeting developers during technical interviews and tricking them into installing malicious packages as part of coding exercises. Once installed, these packages deploy variants of the Beavertail malware, which systematically searches for cryptocurrency wallets, browser extensions, and sensitive files, including passwords, documents, and environment variables. The malware exhibits remarkable technical sophistication, supporting Windows, macOS, and Linux platforms while employing multiple layers of obfuscation to evade detection.

Veracode analysts identified the campaign through continuous monitoring systems, initially flagging four suspicious packages: Cloud-Binary, Json-Cookie-Csv, Cloudmedia, and Nodemailer-Enhancer. Further investigation revealed an additional eight malicious packages, bringing the total to twelve compromised NPM packages. Researchers noted the campaign’s evolution, discovering what appears to be version 3 of the malware, evidenced by the creation of a ~/.n3 directory structure, advancing from the previously documented ~/.n2 configuration. The threat actors demonstrate advanced operational security practices, utilising multiple command and control servers operating on port 1224 and employing AES-256-CBC encryption to protect their payloads. The malware establishes persistent communication channels through WebSocket connections and HTTP requests, enabling real-time command execution and data exfiltration. The campaign shows signs of active development, with different encryption keys and obfuscation strategies across package versions.