North Korean Hackers Exploit NPM Packages to Steal Cryptocurrency and Sensitive Data

Threat Score:
67
6 articles
100.0% similarity
2 days ago

Activity Timeline

6 articles
Click to navigate
Aug 04
Aug 04
Aug 05
Aug 05
Aug 05
Aug 05
Oldest
Latest

Key Insights

1
North Korean hackers, linked to the Chollima APT group, have been exploiting malicious Node Package Manager (NPM) packages to steal cryptocurrency and sensitive data from developers since at least December 2022.
2
A recent campaign involved twelve malicious NPM packages, including 'cloud-binary' and 'nodemailer-enhancer,' which were removed from the NPM registry after detection due to their sophisticated malware capabilities.
3
The attackers utilize social engineering tactics, posing as recruiters to lure job seekers into installing malicious software during coding exercises, thereby gaining access to sensitive information.
4
One specific malicious package, @kodane/patch-manager, functions as a cryptocurrency wallet drainer, embedding mechanisms to siphon funds from compromised wallets while masquerading as a legitimate tool.
5
Security researchers have observed a significant escalation in the sophistication of these attacks, with malware variants employing advanced obfuscation and encryption techniques to evade detection.
6
Industry responses include the removal of malicious packages by NPM, with ongoing advice for developers to scrutinize NPM packages and avoid unverified sources.

Threat Overview

Recent investigations have revealed that North Korean hackers, particularly the Chollima APT group, are actively exploiting malicious Node Package Manager (NPM) packages to steal cryptocurrency and sensitive data from software developers. This campaign, which has been ongoing since at least December 2022, has seen a marked increase in sophistication, leveraging social engineering tactics to target job seekers in the tech industry. According to Veracode Threat Research, twelve malicious packages, including 'cloud-binary' and 'nodemailer-enhancer,' were flagged and removed from the NPM registry after detection. These packages were designed to trick victims into installing malware during simulated job interviews, leading to the exfiltration of sensitive information such as cryptocurrency wallet data and browser extension credentials.

The attackers impersonate recruiters, exploiting the vulnerabilities inherent in job hunting, where desperation for employment can lead to compromised security practices. During interviews, they guide potential candidates to download and run seemingly benign software packages, which contain hidden malware. This approach allows the attackers to deploy advanced variants of the Beavertail malware family, capable of cross-platform data exfiltration on Windows, Linux, and macOS systems.

One notable malicious package, named @kodane/patch-manager, was identified as a cryptocurrency wallet drainer. This package masqueraded as an 'NPM Registry Cache Manager,' embedding mechanisms to siphon funds from compromised wallets. Security researchers noted that the package's internal documentation brazenly identified it as an 'ENHANCED STEALTH WALLET DRAINER.' Once installed, the malware initiates an infection chain that creates hidden directories to conceal its operations, thereby achieving persistence and enabling ongoing communication with a command-and-control server.

The industry response has involved the swift removal of these malicious packages from the NPM registry and ongoing efforts by cybersecurity experts to raise awareness among developers. Security teams are advising developers to verify the legitimacy of any NPM packages they consider using, particularly those sourced from unverified repositories. As threats evolve, the importance of maintaining robust security practices in the software development community remains critical. 'Developers must remain vigilant and skeptical about the packages they install, especially during job interviews,' emphasized a cybersecurity analyst from Veracode. Immediate action is recommended, including regular updates to security protocols and increased scrutiny of third-party software sources.

Tactics, Techniques & Procedures (TTPs)

T1566.001
Spearphishing Attachment - Attackers pose as recruiters and send malicious NPM packages to job seekers [1][2]
T1059.007
JavaScript/JScript - Attackers embed obfuscated JavaScript payloads within NPM packages to deploy malware [2][4]
T1190
Exploit Public-Facing Application - The malicious packages exploit trust in the NPM registry to deliver malware [1][4]
T1557
Adversary-in-the-Middle - Attackers leverage social engineering to trick victims into executing malicious code during interviews [2][5]
T1053
Scheduled Task/Job - Malware achieves persistence by creating hidden processes and directories [3][4]
T1105
Ingress Tool Transfer - Malicious packages facilitate the download and execution of further payloads from command-and-control servers [3][4]
T1003
OS Credential Dumping - Malware exfiltrates sensitive data, including cryptocurrency wallet credentials and browser extensions [1][3]

Timeline of Events

2022-12-01
Chollima APT group begins orchestrating a cyber espionage campaign targeting job seekers in the software development sector [2]
2024-02-01
Initial reports of North Korean hackers exploiting NPM packages emerge, highlighting early tactics [1]
2024-06-15
Ongoing campaigns evolve, with more sophisticated malware variants identified in the wild [1][4]
2025-08-04
Security researchers discover the @kodane/patch-manager package, which drains cryptocurrency wallets [3][6]
2025-08-05
Twelve malicious NPM packages are flagged and subsequently removed from the NPM registry [1][4]

Source Citations

expert_quotes: {'Safety researchers': 'Article 3', 'Cybersecurity analyst': 'Article 4', 'Veracode Threat Research': 'Article 1'}
primary_findings: {'Attack methods and targets': 'Articles 2, 5', 'Details on @kodane/patch-manager': 'Articles 3, 6', 'Malicious NPM packages identified': 'Articles 1, 4'}
technical_details: {'Social engineering tactics': 'Articles 2, 5', 'Malware capabilities and behaviors': 'Articles 1, 3, 4'}
Powered by ThreatCluster AI
Generated 1 day ago
AI analysis may contain inaccuracies

Related Articles

6 articles
1

North Korean Hackers Exploit NPM Packages to Steal Cryptocurrency and Sensitive Data

GB Hackers 1 day ago

North Korean Hackers Exploit NPM Packages to Steal Cryptocurrency and Sensitive Data Veracode Threat Research has uncovered a sophisticated North Korean cryptocurrency theft operation that continues to evolve, building on campaigns previously reported in February and June 2024. This latest iteration involves twelve malicious NPM packages, including cloud-binary, json-cookie-csv, cloudmedia, and nodemailer-enhancer, which were flagged by automated monitoring systems and subsequently removed from

Score
59
100.0% similarity
Read more
2

Chollima APT Group Targets Job Seekers and Organizations with JavaScript-Based Malware

GB Hackers 1 day ago

Chollima APT Group Targets Job Seekers and Organizations with JavaScript-Based Malware The North Korean-linked Chollima advanced persistent threat (APT) group, also known as Famous Chollima, has been orchestrating a persistent cyber espionage campaign since at least December 2022, primarily targeting job seekers in the software development and IT sectors to infiltrate a wide array of United States-based organizations. This operation leverages intricate social engineering techniques, where attack

Score
56
100.0% similarity
Read more
3

North Korean Hackers Weaponizing NPM Packages to Steal Cryptocurrency and Sensitive Data

Cybersecurity News 1 day ago

A sophisticated North Korean cryptocurrency theft campaign has resurfaced with renewed vigor, weaponizing twelve malicious NPM packages to target developers and steal digital assets. The campaign, which represents a significant escalation in supply chain attacks, exploits the trust developers place in open-source package repositories to distribute advanced malware capable of cross-platform data exfiltration. The attack […]

Score
53
100.0% similarity
Read more
4

Hackers Leverage AI to Craft Malicious NPM Package That Drains Crypto Wallets

GB Hackers 2 days ago

Hackers Leverage AI to Craft Malicious NPM Package That Drains Crypto Wallets Security researchers at Safety have uncovered an AI-generated malicious NPM package dubbed @kodane/patch-manager, engineered as an advancedcryptocurrency walletdrainer. This package, posing as a benign “NPM Registry Cache Manager” for license validation and registry optimization, embeds sophisticated mechanisms to siphon funds from developers’ and users’ crypto wallets. Published under the NPM username “Kodane,” the ma

Score
52
98.0% similarity
Read more
5

Famous Chollima APT Hackers Attacking Job Seekers and Organization to Deploy JavaScript Based Malware

Cybersecurity News 1 day ago

North Korean-linked Famous Chollima APT group has emerged as a sophisticated threat actor, orchestrating targeted campaigns against job seekers and organizations through deceptive recruitment processes. Active since December 2022, this advanced persistent threat has developed an intricate multi-stage attack methodology that exploits the trust inherent in professional networking and job-seeking activities. The group’s operations represent […]

Score
51
100.0% similarity
Read more
6

Hackers Use AI to Create Malicious NPM Package that Drains Your Crypto Wallet

Cybersecurity News 2 days ago

Cybercriminals have escalated their attack sophistication by leveraging artificial intelligence to create a malicious NPM package that masquerades as a legitimate development tool while secretly draining cryptocurrency wallets. The package, named @kodane/patch-manager, presents itself as an “NPM Registry Cache Manager” offering license validation and registry optimization features, but harbors a sophisticated cryptocurrency wallet drainer targeting […]

Score
44
98.0% similarity
Read more