Introducing Artifact Attestations–now in public beta
Generate and verify signed attestations for anything you make with GitHub Actions.
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies. Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.
The attack chain operates as follows:
The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny.
In some cases, the actor may deliver the malicious software directly on a messaging or file sharing platform, bypassing the repository invitation/clone step.
The mechanics of the first-stage malware are described in detail in a blog by Phylum Security.
Phylum’s work, conducted completely independent of GitHub, mirrors our own research.
action:repo.add_member
events to determine if you ever accepted an invite to a repository from one of the accounts noted below.npmjscloud[.]com
npmrepos[.]com
cryptopriceoffer[.]com
tradingprice[.]net
npmjsregister[.]com
bi2price[.]com
npmaudit[.]com
coingeckoprice[.]com
assets-graph
assets-table
audit-ejs
audit-vue
binance-prices
coingecko-prices
btc-web3
cache-react
cache-vue
chart-tablejs
chart-vxe
couchcache-audit
ejs-audit
elliptic-helper
elliptic-parser
eth-api-node
jpeg-metadata
other-web3
price-fetch
price-record
snykaudit-helper
sync-http-api
sync-https-api
tslib-react
tslib-util
ttf-metadata
vue-audit
vue-gws
vuewjs
GalaxyStarTeam
Cryptowares
Cryptoinnowise
netgolden
charlestom2023
eflodzumibreathbn
galaxystardev
garik.khasmatulin.76
hydsapprokoennl
leimudkegoraie3
leshakov-mikhail
linglidekili9g
mashulya.bakhromkina
mayvilkushiot
outmentsurehauw3
paupadanberk
pormokaiprevdz
podomarev.goga
teticseidiff51
toimanswotsuphous
ufbejishisol
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/