Over the past year, security researchers have observed a growing trend of North Korean–linked developers establishing credible-looking profiles on popular code-sharing platforms such as GitHub, CodeSandbox, and Gist.
These accounts frequently host legitimate open-source projects alongside hidden payloads, allowing operators to mask malicious activity under the guise of normal developer contributions.
The overall goal appears to be multifaceted: generating revenue for state-sponsored programs, obtaining access to remote work contracts, and using those engagements as beachheads for more sophisticated cyber operations.
Initially, these profiles attracted attention due to unusually high activity levels and the adoption of advanced software stacks—including React.js front ends, Node.js back ends, and Dockerized deployment configurations—designed to impress prospective clients.
However, a deeper analysis revealed carefully obfuscated modules within certain repositories that leveraged compromised dependencies to deliver remote access trojans.
THE RAVEN FILE analysts noted that these repositories often employed minimalistic README files to distract from hidden directories named .secret or .vendor where malicious payloads were staged.
The impact of these operations has been significant. Several victims unknowingly installed tainted packages during routine dependency updates, granting attackers persistent access to corporate networks or cloud environments.
In one documented case, a financial services firm imported a library called @jupyter-utils/rpc that contained a loader script intercepting WebSocket connections and exfiltrating credentials via an embedded C2 channel.
The combination of legitimate functionality and covert communication made detection extremely difficult for standard signature-based scanners.
Infection Mechanism and Persistence Tactics
A closer look at the infection mechanism reveals a multi-stage loader that activates only when certain environmental conditions are met.
Upon installation, the malicious package executes a preinstall script defined in package.json:-
"scripts": {
"preinstall": "node scripts/setup.js"
}The setup.js module then checks for the presence of common CI/CD directories (.gitlab-ci, .github/workflows) before deploying an encrypted payload into the application’s runtime directory.
This payload, stored as payload.enc, is decrypted in memory using a hard-coded key and immediately executed via Node’s vm module:-
const vm = require('vm');
const fs = require('fs');
const key = Buffer.from(process.env.DEPLOY_KEY, 'hex');
const cipher = fs.readFileSync('./payload.enc');
const decrypted = decrypt(cipher, key);
vm.runInThisContext(decrypted);This below figure illustrates how the primary repository README masks the scripts folder, while Figure 2 (“deepfake_result.png”) shows the deepfake profile image used to enhance credibility.
.webp "DPRK IT Workers Using Code-Sharing Platforms to Secure New Remote Jobs 3")
By embedding itself at the package manager level and leveraging CI/CD hooks, the malware achieves both stealthy installation and persistence.
Removal requires thorough dependency audits and validation of all installation scripts.
.webp "DPRK IT Workers Using Code-Sharing Platforms to Secure New Remote Jobs 4")
As organizations increasingly rely on open-source components, understanding these infection vectors is critical to safeguarding supply chains and maintaining trust in collaborative development platforms.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
