A North Korean threat actor has been observed targeting employees at technology firms in a new low-volume social engineering campaign, Microsoft-owned code hosting platform GitHub reports.
As part of the observed attacks, employees are invited to collaborate on GitHub repositories that contain software fetching malicious NPM packages meant to infect the intended victims’ computers with additional malware.
“Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign,” the code hosting platform says.
GitHub is confident that the ongoing campaign is perpetrated by a North Korean threat actor tracked as Jade Sleet, and which is also known as TraderTraitor.
To orchestrate the attacks, Jade Sleet impersonates a developer or recruiter, creating fake persona accounts on GitHub, LinkedIn, Slack, and Telegram, or taking control of legitimate accounts.
These accounts are then used to contact employees at tech firms, which are invited to collaborate on a repository. The threat actor then convinces the victim to clone the repository and execute it on their machine, leading to malware infection.
“The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny,” GitHub explains.
In some cases, messaging services or file sharing platforms may be used to deliver the malicious packages and initiate the infection chain.
GitHub says it has suspended the NPM and GitHub accounts associated with the attacks and also filed abuse reports for the identified domains that were still available.
Similar activity was reported by Phylum in late June and by SentinelOne on Thursday, in association with the recent cyberattack on JumpCloud.