North Korean threat actor UNC1069 ran a targeted social engineering campaign against multiple high-profile Node.js maintainers that resulted in two malicious package versions being briefly published to the NPM registry and likely installed by millions. Attackers used staged Slack and Teams meetings, built convincing infrastructure, and delivered a RAT via a fake update, prompting calls for the OSS community to report and share suspicious personas. #UNC1069 #NPM
Keypoints
- UNC1069 targeted several prominent Node.js maintainers and published malicious packages to NPM on March 31.
- The two malicious package versions were removed after roughly three hours but were likely installed by over three million users.
- Attackers employed social engineering tactics seen in DeceptiveDevelopment, Operation Dream Job, Contagious Interview, and ClickFake Interview campaigns.
- Victims were lured via Slack and Microsoft Teams meetings and tricked into installing a fake update that installed a RAT.
- The operation was staged over weeks to build trust and professionalism, leading to warnings for the OSS community to report and share suspicious contacts.
Read More: https://www.securityweek.com/north-korean-hackers-target-high-profile-node-js-maintainers/