North Korea-Linked npm Packages Steal Developer Secrets
Threat actors associated with North Korea have deployed malicious npm packages designed to steal developer secrets and provide remote access. JFrog researchers identified these packages, "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core," which closely imitate the legitimate "rollup-plugin-polyfill-node" project. The malicious packages mimic the original's description, repository metadata, and even its versioning strategy to deceive developers into installing them.
Upon installation, these compromised packages execute malicious code that targets sensitive information stored within developer environments. This includes environment variables, configuration files, and potentially authentication tokens. The primary objective appears to be the exfiltration of these secrets, which could then be used for further malicious activities, such as unauthorized access to code repositories, cloud infrastructure, or other sensitive systems. The attackers also incorporated functionality for establishing remote access, allowing them to control compromised systems.
This campaign highlights a sophisticated supply chain attack vector targeting the developer ecosystem. By impersonating widely used tools, the attackers aim to bypass security measures and gain access to valuable intellectual property and credentials. The use of npm, a popular package manager for JavaScript, means a broad range of developers and projects could be at risk. The discovery underscores the ongoing threat posed by state-sponsored or state-affiliated hacking groups to software development pipelines.
JFrog has alerted the npm security team and provided details on the malicious packages to facilitate their removal from the registry. Developers are strongly advised to exercise extreme caution when installing new npm packages, especially those that appear to be polyfills or utility tools. Thoroughly vetting the source, checking for recent activity, and verifying the authenticity of package maintainers are crucial steps in mitigating such risks. This incident serves as a reminder of the importance of robust security practices throughout the software development lifecycle.
Original source — read the full reporting at the publisher:
Read on The Hacker News