GitHub Warns Devs of North Korean Attacks

Written by

GitHub has warned of a new North Korean threat campaign designed to compromise victims via malicious npm package dependencies.

The development platform claimed in a blog post earlier this week that the attacks targeted employees in the blockchain, cryptocurrency, online gambling and cybersecurity sectors.  

Attacks start with the threat actors impersonating a developer or recruiter with a fake GitHub, LinkedIn, Slack or Telegram profile, according to Alexis Wales, VP of GitHub security operations. In some cases, the attacker may hijack legitimate accounts.

Read more on North Korean attacks: North Korean APT Kimsuky Launches Global Spear-Phishing Campaign.

They then initiate contact with the target and attempt to move the conversation to another platform.

“After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its contents,” Wales explained.

“The GitHub repository may be public or private. The GitHub repository contains software that includes malicious npm dependencies. Some software themes used by the threat actor include media players and cryptocurrency trading tools.”

These malicious dependencies act as first-stage malware designed to download a second-stage threat to the victim’s machine, although it’s unclear exactly what this is.

“The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny,” said Wales.

“In some cases, the actor may deliver the malicious software directly on a messaging or file sharing platform, bypassing the repository invitation/clone step.”

GitHub claimed with “high confidence” that attackers belong to the North Korean group known as “Jade Sleet” by Microsoft Threat Intelligence and “TraderTraitor” by the US Cybersecurity and Infrastructure Security Agency (CISA).

In related news, an attack on SSO vendor JumpCloud at the end of June has also been attributed to North Korea, according to SentinelOne.

Image credit: Piotr Swat /

What’s hot on Infosecurity Magazine?