Hasty Briefsbeta

Bilingual

North Korean Hackers Compromise Go and PHP Packages

5 hours ago
  • #software security
  • #DPRK malware
  • #supply-chain attack
  • PolinRider is a DPRK-linked supply-chain campaign that takes over legitimate GitHub accounts and injects obfuscated JavaScript loaders into repositories.
  • Initially confined to GitHub, the campaign expanded to multiple package ecosystems including Packagist, Go modules, npm, and PyPI without evolving its malware.
  • Ecosystems like Go and Packagist are particularly vulnerable because they resolve packages directly from Git repos, making GitHub account takeovers equivalent to publishing access.
  • The malware uses methods such as appending JavaScript to config files, fake .woff2 font files, .vscode/tasks.json triggers, and typosquatted npm dependencies.
  • Payloads are distributed via blockchain dead-drops (e.g., TRON, Aptos) and lead to Lazarus toolkit implants like Beavertail and InvisibleFerret for credential theft and C2.
  • Git history is rewritten using scripts like temp_auto_push.bat to hide tampering, preserving original timestamps through force-pushed commits.
  • Defenders should audit registry publication history against repo modifications, enforce strong GitHub security (e.g., MFA), and scan for IOCs like hidden JavaScript and malicious tasks.json.
  • While npm and PyPI are less susceptible due to separate publishing credentials, PolinRider still publishes malicious packages from scratch in those ecosystems.