North Korean hackers are targeting developers working in open source ecosystems by camouflaging malware inside packages that look like popular software tools.
That's according to security firm Sonatype, which said in a post it has blocked 234 unique malware packages tied to the Lazarus Group, hackers linked to North Korea.
Those packages were spotted in two software repositories, NPM and Python Package Index (PyPI), over the first half of the year — this follows reports earlier this year of malware spotted in NPM packages.
According to Sonatype, the attacks are designed to "steal secrets, profile hosts, and open persistent backdoors into critical infrastructure" — and there may already be as many as 36,000 victims.
"The open source ecosystem has become an effective delivery mechanism for espionage and credential theft," the company said.
Shift from Lazarus Group?
Lazarus Group is believed to be behind the 2017 WannaCry ransomware incident and the 2014 Sony Pictures hack, among many others.
"Lazarus has increasingly pivoted from disruption to long-term infiltration, using tailored malware, modular payloads, and infrastructure evasion techniques to achieve persistent access to high-value targets — including the open source software ecosystem," Sonatype noted.
That "strategic shift" means the hackers are now focused on finding ways to embed malicious code into open-source package registries, Sonatype explained.
That includes typosquatting and brandjacking of popular NPM and PyPI packages.
"These mimicry tactics exploit typos, visual confusion, or 'lookalike' names (known as typosquatting), which remain highly effective against unsuspecting developers and automated build pipelines," the report noted.
"We also observed instances of 'brand-jacking,' where attackers use the names of well-known companies or projects in their package names (e.g., internal-company-logger) to imply legitimacy, as well as combo-squatting, which combines trusted names with extra words to create deceptive but plausible identifiers."
That works, the security firm noted, because developers have a bad habit of installing packages without verification or sandboxing, and because many popular open-source projects are run by small teams, making them easier to target.
Once installed, the hackers can target credentials and tokens, and persist undetected for extended periods, with multi-stage malware that profiles hosts, snaps up credentials, and installs clipboard stealers, keyloggers, and remote shells.
"The Lazarus campaign is a stark reminder that trust in open source is not immune to exploitation," Sonatype said.
"By embedding malware into developer tools and using software pipelines as delivery channels, nation-state actors are shifting the battlefield into everyday development workflows."
Mike McGuire, senior software solutions manager at Black Duck, said the hackers were weaponizing the trust developers have in open source.
"Threat actors continue to exploit the inherent trust that is placed in the open source community," he said.
"While the overwhelming majority of open source projects are legitimate, it only takes one malicious package to poison the well."
What to do?
McGuire said the campaign shows that security teams need to prioritize application security.
"This includes conducting a thorough analysis of the open source dependencies used in their applications, ensuring none of them are identified to be known malicious components, whether they’re part of this Lazarus Group campaign, or any other attacker’s efforts," he added.
"However, the most effective approach in preventing exposure to these types of attacks is to proactively evaluate dependencies for risk before using them."
Sonatype said the best mitigation was a multi-layered defense strategy. This includes using a repository firewall to block malicious packages, enforcing stricter governance politics to avoid installing dodgy packages with unclear provenance or low download histories without extra checks, and to regularly scan for indicators of compromise.
Additionally, the company suggested setting up a centralized repository that includes "audited, compliant packages" for developers to access, rather than sending them out to seek out their own tools.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
