GitHub identified a low-volume social engineering campaign that targets the personal accounts of employees at technology firms, using fake persona accounts on GitHub and other platforms to lure victims into collaborating on a repository. The malicious npm dependencies in these repositories download and execute a second-stage payload, with attribution to the North Korean group Jade Sleet (TraderTraitor). #JadeSleet #TraderTraitor
Keypoints
- Campaign is described as low-volume but targeted toward technology industry employees.
- Threat actor group is linked to North Korea and identified as Jade Sleet (TraderTraitor).
- Attack chain centers on impersonation via fake personas on GitHub and other social platforms to initiate contact.
- Targets are invited to collaborate on GitHub repositories that include malicious npm dependencies.
- First-stage malware (malicious npm packages) downloads and executes second-stage malware on victims’ machines.
- GitHub has taken actions (account suspensions, indicators published, abuse reports) and provides mitigation guidance.
MITRE Techniques
- [T1566.003] Spearphishing via Service – Impersonation by creating fake persona accounts on GitHub and other social platforms to contact targets. ‘The threat actor impersonates a developer or recruiter by creating one or more fake persona accounts on GitHub and other social media providers.’
- [T1195] Supply Chain Compromise – The attacker uses a GitHub repository containing malicious npm dependencies to download and execute second-stage malware. ‘The GitHub repository contains software that includes malicious npm dependencies.’
- [T1199] Trusted Relationship – Exploitation of relationships by impersonating recruiters and moving conversations across platforms. ‘Thus far, we have identified fake personas that operated on LinkedIn, Slack, and Telegram. In some cases these are fake personas; in other cases, they use legitimate accounts that have been taken over by Jade Sleet.’
- [T1105] Ingress Tool Transfer – The second-stage malware is downloaded from domains listed for second-stage payload after first-stage execution. ‘The malicious npm packages act as first-stage malware that downloads and executes second-stage malware on the victim’s machine. Domains used for the second-stage download are listed below.’
Indicators of Compromise
- [Domains] Domains observed – npmjscloud[.]com, npmrepos[.]com, and 6 more domains
- [NPM Packages] Malicious npm packages – assets-graph, assets-table, and 27 more packages
- [GitHub Accounts] Malicious GitHub accounts – GalaxyStarTeam, Cryptowares, Cryptoinnowise, netgolden
- [NPM Accounts] Malicious npm accounts – charlestom2023, eflodzumibreathbn, and 15 more accounts