A recent discovery has shed light on a new North Korean threat actor that is expanding its distribution of malicious npm code to public registries, posing a serious risk to the software supply chain. This actor, known as Moonstone Sleet, has been actively engaging in espionage and financial cyberattacks targeting aerospace, education, and software organizations and developers.

Moonstone Sleet first came to attention late last month when Microsoft revealed their involvement in various cyber activities. The group was found to be spreading malicious npm packages on platforms like LinkedIn and freelancer websites while attempting to secure remote tech jobs with legitimate companies. The extent of Moonstone Sleet’s malicious npm package activity has now been revealed to be more widespread than initially reported, according to a recent blog post by researchers from CheckMarx.

The group strategically places these malicious packages in public open source repositories accessible to developers, thereby increasing their attack surface. This activity highlights the growing threat posed by sophisticated adversaries to the open-source ecosystem, as noted by Tzachi Zornstein and Yehuda Gelb from CheckMarx.

A key distinction that sets Moonstone Sleet apart from other North Korean threat actors, such as Lazarus, is their unique approach in structuring and executing their malicious code packages. Moonstone Sleet has been observed using a single-package approach that immediately activates its payload upon installation. Furthermore, the group has developed code that can target Linux systems in addition to Windows, showcasing their evolving tactics and capabilities.

In contrast, Lazarus has traditionally utilized a paired package system to distribute malicious functionality, making it more challenging to detect and trace back to the source. By comparing the methods of these two threat actors, researchers are gaining valuable insights into the shifting landscape of cyber threats targeting the open-source community.

The release of malicious npm packages by North Korean threat actors poses a significant ongoing risk to the open-source ecosystem, as developers often rely on public registries for software development. The trust placed in these repositories is being exploited by attackers, underscoring the need for heightened vigilance and collaboration within the community.

While the responsibility for safeguarding the software supply chain primarily lies with consuming organizations, developers and organizations must also take proactive measures to scan code for malicious behavior and share threat intelligence to prevent future attacks. By working together and implementing effective security measures, the open-source ecosystem can become safer and more resilient against the evolving threats posed by malicious actors like Moonstone Sleet.

Source link