DPRK Unleashes Sophisticated Social Engineering Attacks on Open-Source Maintainers and Crypto Protocols

midudev
#cybersecurity #social-engineering #open-source #supply-chain-attack #dprk

North Korean state-sponsored threat actors (DPRK) are executing highly elaborate social engineering campaigns targeting prominent open-source maintainers and cryptocurrency protocols, leading to significant compromises and multi-million dollar losses. One such incident, reportedly detected by Google’s “Norcorea Nexus Threat Actor” group, saw the popular Axios JavaScript library compromised. In this attack, maintainer Jason Simon was ensnared in a meticulously crafted social engineering scheme: attackers cloned a company’s identity, invited Simon to a legitimate-looking Slack workspace, and during a Microsoft Teams call, feigned audio issues to coerce him into installing a “system update” that was, in fact, a remote access trojan. This breach enabled the publication of two malicious npm versions of Axios, demonstrating a severe supply chain attack on a widely used dependency.

Further escalating concerns, the Solana-based Drift Protocol suffered a staggering $280 million loss following a six-month-long, multi-stage social engineering operation. DPRK-affiliated individuals allegedly infiltrated Drift by posing as a legitimate trading firm, building trust over half a year through in-person interactions at multiple global crypto conferences and extensive online engagement, even investing $1 million of their own capital to establish credibility. This prolonged engagement culminated in the sharing of malicious software disguised as project tools and wallet applications in Telegram chats, exploiting vulnerabilities like an arbitrary code execution flaw in Visual Studio Code/Cursor upon opening specific files. Once the exploit was successful, the group swiftly vanished, erasing all digital traces. These incidents underscore a critical need for enhanced vigilance against sophisticated human-centric attacks and a re-evaluation of default behaviors in package managers like npm, particularly regarding the execution of postinstall scripts, which remain a potent vector for supply chain compromise, as exemplified by recent warnings regarding malicious dependencies in technical test projects.