Phylum, a cybersecurity company, has been closely monitoring the activities of North Korean hackers targeting open-source software developers over the past year. In a recent report, the focus was on a NPM package that was swiftly published and removed from the site within 1.5 hours. This incident highlights the fact that while hackers continuously update their tactics, the core attack methods remain unchanged.
The package in question, Call-Blockflow, briefly appeared on NPM as a modified version of the widely-used call-bind package, which garners about 45 million weekly downloads. While the new version retains the basic elements of the original, it has alterations in the Package.json file and additional files that enable the execution of malicious code during installation.
These alterations were made possible through changes in the configuration file and the use of automated scripts that delete themselves after execution, leaving no trace behind.
One notable aspect of the attack is the incorporation of a script that operates in the Windows_NT environment, creating temporary files to carry out malicious commands before removing them. This method allows the hackers to operate without detection and boosts the covert nature of the attack.
Despite mimicking the trusted Call-Bind package, it is crucial to understand that the Call-Blockflow package does not pose a threat to users of the legitimate package. Prompt responses from security systems of NPM and Phylum ensure that harmful packages are swiftly blocked before causing any harm.
The malicious Call-BlockFlow Package was rapidly taken down from NPM, aligning with the quick publication and removal strategy employed in this campaign. This tactic aids attackers in evading detection and analysis of their malicious packages.
This discovered campaign is part of a broader strategy where hackers either impersonate legitimate developers of popular packages or create fake packages to distribute malware. By cloning reputable repositories, the attackers gain access to a vast array of trusted packages, heightening the success rate of their attacks.