Source: Igor Stevanovic via Alamy Stock Photo

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And it's differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.

Moonstone Sleet first appeared on the scene late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.

Among those techniques was to try to get hired for remote tech jobs with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleet's malicious npm package activity is wider than first reported, according to a blog post published on June 13.

The actor is "placing those malicious packages in public open source package repositories that are accessible to developers," an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.

"With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries," Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.

The researchers cite the multiyear supply chain attack that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have a massive ripple effect across the security of enterprise software.

Differentiation From Lazarus Activity

CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor — Jade Sleet, better known as Lazarus — that engages in similar activity.

The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using "a single-package approach" that executes its payload immediately upon installation, the researchers wrote.

Further, while earlier malicious payloads "included OS-specific code, executing only if it detected that it was running on a Windows machine," packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.

In contrast, Lazarus designed its packages, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. "This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source," Zornstein and Gelb wrote.

The first package from Lazarus would create a directory on the victim's machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.

Evolving Threat to Open Source Ecosystem

The tactic of publishing malicious npm packages by North Korean threat actors in general "underscores the persistent nature of their campaign" and poses a growing risk for the open source community that depends on public registries for software development.

"By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries," Zornstein says.

However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. That's why it's imperative for organizations to "scan the code in the packages for malicious behaviors … prior to making the code available to developers," he says.

Developers and organizations also should continue to collaborate and share information among themselves and with the security community to identify and thwart these attacks, the researchers said. "Through collective effort and proactive measures," they wrote, "we can work towards a safer and more secure open-source ecosystem for all."