"The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses. All identified packages come with an install script that's automatically executed during package installation, which runs the malicious payload located in vendor/scrypt-js/version.js."
"North Korean threat actors have published a set of 26 malicious packages to the npm registry. The packages masquerade as developer tools, but contain functionality to extract the actual command-and-control by using seemingly harmless Pastebin content as a dead drop resolver and ultimately drop a developer-targeted credential stealer and remote access trojan."
North Korean threat actors have released 26 malicious packages on the npm registry as part of the Contagious Interview campaign, tracked as StegaBin. These packages impersonate legitimate developer tools and execute malicious payloads during installation through install scripts. The malware uses steganographic encoding to extract command-and-control URLs hidden within seemingly innocent Pastebin computer science essays, where characters at evenly-spaced positions spell out infrastructure addresses. The C2 infrastructure operates across 31 Vercel deployments. Each package declares legitimate dependencies to appear credible, and the payload functions as a text steganography decoder to retrieve hidden commands and deploy credential stealers and remote access trojans targeting developers.
#npm-supply-chain-attack #north-korean-threat-actors #steganography-malware #credential-stealer #typosquatting
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]