Supply Chain Attack in the npm Ecosystem Linked to North Korean Hackers
A recent security investigation has revealed a supply chain attack targeting the npm ecosystem, identified as being linked to threat actors associated with North Korea (DPRK). This alarming development underscores the growing risks that developers face from sophisticated cyber threats, especially in the realm of open-source libraries.
At the center of this campaign is a malicious npm package called terminal-logger-utils. This package is not just a simple malicious entity; it harbors a complex multi-stage malware designed to execute keystroke logging, steal data, and provide remote control over infected systems. The malware is executed through three dependent libraries: pretty-logger-utils, ts-logger-pack, and pinno-loggers. These dependencies trigger the malicious payload automatically upon installation, significantly increasing the likelihood of infection. By leveraging these indirect dependencies, which developers typically trust, the attackers effectively stealthily infiltrate development environments.
The investigation attributes the nefarious activities to an individual using the alias “jpeek895,” who has been previously linked to similar npm-based attacks by renowned security researchers at kmsec.uk. The presence of multiple npm accounts associated with this campaign — including pvnd3540749, yggedd817513, and jpeek886 — suggests a coordinated effort aimed at spreading these malicious packages more widely across the npm ecosystem.
According to a report released by OX Security, this specific malicious npm package contains functionalities typical of keyloggers, infostealers, and Remote Access Trojans (RATs). When developers install the package, a malicious post-install script embedded within the package.json file executes an obfuscated JavaScript file, which is named utils.cjs. This file serves as a dropper that initially profiles the victim’s system and subsequently downloads a second-stage payload specifically tailored for the operating platform in use.
Remarkably, this second-stage payload is hosted on Hugging Face, a legitimate platform commonly used for machine learning and AI model distribution. The abuse of such a trusted platform highlights a disturbing trend in cyberattacks, where malicious actors exploit known infrastructures to evade detection by security measures.
Upon its download, the second-stage payload masquerades as a bundled Node.js binary—this disguises the embedded malicious code effectively. It installs itself onto the victim’s system, gaining persistence by embedding itself within the Windows directory at %LOCALAPPDATA%\MicrosoftSystem64. Additionally, it uses a hidden VBS script and scheduled tasks to maintain this presence, along with a registry Run key to act as a fallback mechanism.
At runtime, the installed malware executes several concurrent processes focusing on profiling the system, tracking clipboard activities, and continuously logging keystrokes. Sensitive data collected from the compromised machine is sent through HTTP requests to specific endpoints, such as /api/validate/keyboard-events. Notably, the malware is also designed to track password entries separately, significantly enhancing its capability to harvest sensitive user credentials.
The scope of the data targeted by the malware is extensive, including session files from Telegram Desktop, credential databases from web browsers, cryptocurrency wallet information, SSH keys, and vital cloud configuration files associated with services like AWS, Google Cloud, and Azure. Moreover, the malware scans local drives for files that match predefined keywords, aiming to locate high-value data swiftly. Stolen information is typically compressed and subsequently uploaded to repositories controlled by the attackers, with Telegram session data routed directly to command-and-control (C2) servers.
The capabilities of this malware do not end with data theft; it also affords full remote access to attackers, facilitated via a WebSocket-based C2 channel. This channel enables them to execute shell commands remotely, manipulate files, capture screenshots, and inject inputs directly into the user’s session.
Adding to its insidiousness, the malware contains a self-update mechanism that allows operators to deploy new payload versions from remote repositories without requiring any interaction from the end user.
Security professionals have sounded the alarm, indicating that this campaign exemplifies the increased sophistication with which supply chain attacks are being executed in open-source ecosystems. By marrying trusted package registries with legitimate hosting environments, attackers circumvent traditional security defenses, establishing a persistent foothold within developer settings.
In light of this alarming incident, organizations and developers are strongly advised to remove any affected packages from their systems immediately. Additionally, they should closely monitor network activity for any indicators of compromise, rotate relevant credentials, and enforce multi-factor authentication to bolster their defenses. This situation highlights the critical need for dependency auditing and continuous runtime monitoring within modern software development practices to safeguard against such threats.