Connect with us

Hi, what are you looking for?



GitHub Warns of North Korean Social Engineering Attacks Targeting Tech Firm Employees

North Korean hackers are targeting employees at technology firms with repository invitations and malicious NPM packages.

A North Korean threat actor has been observed targeting employees at technology firms in a new low-volume social engineering campaign, Microsoft-owned code hosting platform GitHub reports.

As part of the observed attacks, employees are invited to collaborate on GitHub repositories that contain software fetching malicious NPM packages meant to infect the intended victims’ computers with additional malware.

“Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign,” the code hosting platform says.

GitHub is confident that the ongoing campaign is perpetrated by a North Korean threat actor tracked as Jade Sleet, and which is also known as TraderTraitor.

To orchestrate the attacks, Jade Sleet impersonates a developer or recruiter, creating fake persona accounts on GitHub, LinkedIn, Slack, and Telegram, or taking control of legitimate accounts.

These accounts are then used to contact employees at tech firms, which are invited to collaborate on a repository. The threat actor then convinces the victim to clone the repository and execute it on their machine, leading to malware infection.

“The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny,” GitHub explains.

Advertisement. Scroll to continue reading.

In some cases, messaging services or file sharing platforms may be used to deliver the malicious packages and initiate the infection chain.

GitHub says it has suspended the NPM and GitHub accounts associated with the attacks and also filed abuse reports for the identified domains that were still available.

Previous iterations of the TraderTraitor campaign JavaScript applications leveraging Node.js and the Electron framework were used to infect victims with the Manuscrypt RAT.

Similar activity was reported by Phylum in late June and by SentinelOne on Thursday, in association with the recent cyberattack on JumpCloud.

Related: US, South Korea Detail North Korea’s Social Engineering Techniques

Related: US Sanctions North Korean University for Training Hackers

Related: North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...