
Shadow Code Campaign: North Korean Hackers Target Developers with Malicious NPM Packages
The "Shadow Code Campaign" is a sophisticated North Korean cyber operation targeting developers by injecting malicious code into NPM packages. This covert attack exploits the trust in open-source repositories, allowing the attackers to infiltrate software supply chains undetected. The campaign highlights the growing threat of state-sponsored cyber activities, particularly those targeting critical digital infrastructure, using advanced techniques to compromise development environments globally.
Indicators of Compromise
Domains (1)
ipcheck.cloudHashes (7)
f7c142178605102ee56f7e486ba68b97f3f6b522994b24f4116dbbd2abc28cecaec21b53ee4ae0b55f5018fc5aaa5a4f095a239a64272ca42047c40ec3c212c02a00838ccd08b26c7948d1dd25c33a114dd81c3bcee3de595783e6f396e7f50e5e5313aaf281c8a8eed29ba2c1aaa5aa65bc174bcd0be466f4533712599db758f1f3002dec6e36e692e087626edd9b6b0f95a176c0c204d4703ccb4f425aa31794da263d603bf735ab85f829b564261e59a1d13915d21babe58e72435bfe32ab0110318f70072171c0edc624c8e8be38892f984b121d6a5a5ced1f6b0b45dbd0IPv4 (3)
167.88.36.1395.164.17.2445.61.158.14Notes
<span id="docs-internal-guid-8011d129-7fff-da14-9f5c-2c643233b471"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The recent North Korean cyber campaign targeting developers via NPM packages highlights a sophisticated strategy to infiltrate the software supply chain. By embedding malicious code inside commonly used NPM packages, attackers aim to exfiltrate sensitive information and potentially compromise the wider systems that rely on these packages. The campaign highlights the persistent threat posed by state-sponsored actors and emphasizes the need for greater vigilance in code management, dependency monitoring and advanced threat detection methods to protect the integrity of software development environments globally. monitoring is fundamental to effective Threat Detection and Response (TDR), which enables early identification of potential threats. </span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"><a href="https://socradar.io/products/attack-surface-management/">SOCRadar's Attack Surface Management </a></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">module provides real-time visibility into your digital assets, including networks, applications and cloud environments.</span></p><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-21bcddbc-7fff-60b5-c8af-539efd3d4de9"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1027-Obfuscated Files or Information</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:56.5pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1049</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Antivirus/Antimalware</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. </span><a href="https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[175]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1040</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Behavior Prevention on Endpoint</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. </span><a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[176]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1017</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Training</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.</span></p></td></tr></tbody></table></div></span>