North Koreas Moonstone Sleet Widens Distribution of Malicious Code

The recently identified threat actor uses public registries for distribution and has expanded capabilities to disrupt the software supply chain.

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And its differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.
Moonstone Sleet
first appeared on the scene
late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.
Among those techniques was to
try to get hired for remote tech jobs
with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleets malicious npm package activity is wider than first reported, according to
a blog post
published on June 13.
The actor is placing those malicious packages in public open source package repositories that are accessible to developers, an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.
With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries, Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.
The researchers cite the
multiyear supply chain attack
that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have
a massive ripple effect
across the security of enterprise software.
CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor —
Jade Sleet, better known as Lazarus
— that engages in similar activity.
The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using a single-package approach that executes its payload immediately upon installation, the researchers wrote.
Further, while earlier malicious payloads included OS-specific code, executing only if it detected that it was running on a Windows machine, packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.
In contrast,
Lazarus designed its packages
, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source, Zornstein and Gelb wrote.
The first package from Lazarus would create a directory on the victims machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.
The tactic of publishing malicious npm packages by North Korean threat actors in general underscores the persistent nature of their campaign and
poses a growing risk
for the open source community that depends on public registries for software development.
By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries, Zornstein says.
However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. Thats why its imperative for organizations to scan the code in the packages for malicious behaviors … prior to making the code available to developers, he says.
Developers and organizations also should continue to
collaborate and share information
among themselves and with the security community to identify and thwart these attacks, the researchers said. Through collective effort and proactive measures, they wrote, we can work towards a safer and more secure open-source ecosystem for all.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Koreas Moonstone Sleet Widens Distribution of Malicious Code