Days after it was revealed that one of the most relied upon JavaScript packages in the world had been compromised in a software supply chain attack that could impact millions of users, security analysts are pointing the finger at hackers with links to North Korea.
“We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” John Hultquist, chief analyst at Google Threat Intelligence Group, told Cyber Daily.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts.”
UNC1069 is known by several names depending on who is doing the attribution: APT38, COPERNICIUM, TAG-71, Lazarus Group, CageyChameleon, Leery Turtle, TA444, and Stardust Chollima, to name a few.
Regardless of how it’s named, the group is thought to be linked to Bureau 121 of the DPRK’s Reconnaissance General Bureau.
The Axios Node Package Manager (npm) package was compromised on 31 March via the maintainer’s own credentials, which were stolen before the attack.
Feross Aboukhadijeh, CEO of cyber security firm Socket, outlined the impact of the compromise in a post to X.
“The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise,” Aboukhadijeh said.
“This is textbook supply chain installer malware. Axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.”
The malicious payload is malware capable of embedding operational strings at runtime, evading static analysis, copying payload files into OS temp and Windows ProgramData directories, and deleting and renaming artifacts to hamper forensic investigation.
CrowdStrike has also been investigating the incident and has pointed its finger at North Korea.
“CrowdStrike Counter Adversary Operations attributes this activity to Stardust Chollima with moderate confidence based on the adversary’s deployment of updated variants of ZshBucket (malware uniquely attributed to Stardust Chollima ) and overlaps with known Stardust Chollima infrastructure,” the company said in a 1 April blog post.
ZshBucket is capable of targeting Linux, macOS, and Windows devices, and the version currently being deployed has had some “significant updates”, according to CrowdStrike, including the ability to implement a common JSON-based messaging protocol and run commands that allow its operator to “inject binary payloads, execute arbitrary scripts and commands, enumerate the file system, and remotely terminate the implant”.
As to the motive behind the campaign, raising funds for the DPRK seems to be the goal.
“Stardust Chollima’s operations prioritise currency generation and regularly target cryptocurrency holders, and the adversary has also conducted widespread supply chain compromises impacting fintech companies’ npm and PyPi repositories,” CrowdStrike said.
“Based on these factors, CrowdStrike Counter Adversary Operations assesses the adversary’s motivation probably aligns with this currency generation objective.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.