North Korean Hackers Compromise Go and PHP Packages
5 hours ago
- #software security
- #DPRK malware
- #supply-chain attack
- PolinRider is a DPRK-linked supply-chain campaign that takes over legitimate GitHub accounts and injects obfuscated JavaScript loaders into repositories.
- Initially confined to GitHub, the campaign expanded to multiple package ecosystems including Packagist, Go modules, npm, and PyPI without evolving its malware.
- Ecosystems like Go and Packagist are particularly vulnerable because they resolve packages directly from Git repos, making GitHub account takeovers equivalent to publishing access.
- The malware uses methods such as appending JavaScript to config files, fake .woff2 font files, .vscode/tasks.json triggers, and typosquatted npm dependencies.
- Payloads are distributed via blockchain dead-drops (e.g., TRON, Aptos) and lead to Lazarus toolkit implants like Beavertail and InvisibleFerret for credential theft and C2.
- Git history is rewritten using scripts like temp_auto_push.bat to hide tampering, preserving original timestamps through force-pushed commits.
- Defenders should audit registry publication history against repo modifications, enforce strong GitHub security (e.g., MFA), and scan for IOCs like hidden JavaScript and malicious tasks.json.
- While npm and PyPI are less susceptible due to separate publishing credentials, PolinRider still publishes malicious packages from scratch in those ecosystems.