Campaigns
Shadow Code Campaign: North Korean Hackers Target Developers with Malicious NPM Packages

Shadow Code Campaign: North Korean Hackers Target Developers with Malicious NPM Packages

DeveloperSecurityStateSponsoredAttacksShadowCodeCampaignContagious Interview
The "Shadow Code Campaign" is a sophisticated North Korean cyber operation targeting developers by injecting malicious code into NPM packages. This covert attack exploits the trust in open-source repositories, allowing the attackers to infiltrate software supply chains undetected. The campaign highlights the growing threat of state-sponsored cyber activities, particularly those targeting critical digital infrastructure, using advanced techniques to compromise development environments globally.

Indicators of Compromise

ipcheck.cloud

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1027-Obfuscated Files or Information


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022

File

File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[177][178][179]

DS0011

Module

Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[178]

DS0009

Process

OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[177]



Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012

Script

Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005

WMI

WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.

Observed Countries7

DE (531)
FR (12)
GB (179)
JP (745)
KR (273)
NL (636)
US (865)