North Korean Cyberspies Target GitHub Developers

The North Korean APT is setting up legitimate accounts on GitHub and social media platforms to pose as developers or recruiters — ultimately to fool targets into loading npm repositories with malicious code.

The North Korean state-sponsored Lazarus advanced persistent threat (APT) group is back with yet another impersonation scam, this time posing as developers or recruiters with legitimate GitHub or social media accounts.
The notorious APT is using these personae in social engineering attacks that target a limited group of tech employees, inviting them to join GitHub development projects that then spread malware via malicious node package manager (npm) dependencies, GitHub is warning.
Researchers have so far identified compromised accounts and/or fake personae connected to the low-volume social engineering campaign on LinkedIn, Slack, and Telegram, as well as its own platform, they reported in
a recent blog post
. No GitHub or npm systems were compromised in the campaign, they added.
Lazarus
is a prolific and well-tracked APT, widely thought to be run by North Koreas Foreign Intelligence and Reconnaissance Bureau, whose activities date as far back as 2009. The group has consistently mounted both financially motivated attacks to fund the regime of Kim Jong Un as well as activities to support cyber espionage. Its
notorious for dangling job or business opportunities
to people working
in various industries
, with the purpose of cyber espionage or financial fraud. This time, the targeted developer accounts are connected to the blockchain, cryptocurrency, or online gambling sectors, as well as several linked to the cybersecurity sector, the researchers said.
The ultimate goal of the campaign is to get victims to clone and execute the contents of a GitHub repository that spreads a two-stage malware attack.
In some cases these are fake personas; in other cases, they use legitimate accounts that have been taken over by Jade Sleet, GitHubs
Alexis Wales
wrote in the post, referring to GitHubs name for Lazarus. The actor may initiate contact on one platform, and then attempt to move the conversation to another platform.
Lazarus malware deployed over the years include everything from
RATs
to
ransomware
, and the group is known to
pivot and shift tactics
when needed to continue to survive. Lazarus also keeps track of
current vulnerabilities
and threat trends and will exploit them if need be to achieve its malicious goals.
That may explain the use of
npm packages
in the latest campaign, as theyve become a
popular target for threat actors of late
for a few reasons — not the least of which is, its a way to poison the software supply chain by spreading code dependencies across multiple applications.
The GitHub campaign starts with Lazarus establishing contact with a target and inviting them to collaborate on a GitHub repository. Because the contact appears to be coming from a legitimate account, targets may be convinced by the actor to clone and execute the contents of the repository, which includes software that has malicious npm dependencies, the researchers found.
Software themes used by the threat actor include media players and cryptocurrency trading tools. The malicious packages act as a first-stage malware that downloads and executes second-stage malware on the victims machine.
GitHub did not go into detail about the malware, punting instead to
a blog post
by Phylum to describe the mechanics of the first-stage malware used in the attack.
Phylum researchers describe an attack chain spread across a pair of packages that need to be installed in a particular order for the attack to execute, with the first package fetching a token from a remote server and the second package uses the token to acquire a malicious script from the server.
Given this workflow, its crucial that each package in a pair is executed sequentially, in the correct order, and on the same machine to ensure successful operation, according to the post.
The malware executes an action that essentially negates TLS certificate validation, described by the post as a poor security practice that leaves the application vulnerable to man-in-the-middle attacks.
While we can only speculate, one plausible reason for this action could be to facilitate HTTP requests in corporate settings that have installed their own root certificates, according to Phylum.
GitHub has suspended both npm and GitHub accounts associated with the campaign and published indicators of compromise in its post. The site also has filed abuse reports with domain hosts in cases where the domain was still available at the time of detection.
Anyone targeted by the campaign can take steps to mitigate it by reviewing their security log for action:repo.add_member events to determine if they have ever accepted an invite to a repository from one of the accounts that GitHub has identified in its IoCs. If someone has in fact been targeted, they should contact their employers cybersecurity department immediately.
Moreover, if a developer executed any content as a result of this campaign, it may be prudent to reset or wipe potentially affected devices, change account passwords, and rotate sensitive credentials/tokens stored on the potentially affected device, Wales advises.
In general, developers should be wary of social media solicitations to collaborate on or install npm packages or software that depends on them, particularly if they are associated with one of the industry sectors identified as being a target of the campaign.
Developers also can examine dependencies and installation scripts, paying close attention to very recently published, net-new packages or scripts or dependencies that make network connections during installation, according to GitHub.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Korean Cyberspies Target GitHub Developers