软件开发者被骗安装恶意软件的虚假npm包

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor.

一项持续进行中的社会工程攻击活动正在以虚假的npm软件包的形式针对软件开发人员，假扮成一次工作面试，以诱使他们下载Python后门。

Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors.

网络安全公司Securonix正在跟踪这一活动，称其为DEV#POPPER，将其与朝鲜威胁行动者联系起来。

"During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. "The software contained a malicious Node JS payload that, once executed, compromised the developer's system."

"在这些欺诈性面试过程中，开发人员经常被要求执行涉及从看似合法的来源（如GitHub）下载和运行软件的任务，"安全研究人员Den Iuzvyk，Tim Peck和Oleg Kolesnikov说。"该软件包含一个恶意的Node JS有效负载，一旦执行，就会 compromis开发人员的系统。"

Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an activity cluster dubbed Contagious Interview in which the threat actors pose as employers to lure software developers into installing malware such as BeaverTail and InvisibleFerret through the interview process.

该活动的细节最早出现在2023年11月底，当时Palo Alto Networks Unit 42详细描述了一个名为 Contagious Interview 的活动集群，在该集群中，威胁行动者假扮成雇主，诱使软件开发人员通过面试过程安装诸如 BeaverTail 和 InvisibleFerret 等恶意软件。

Then earlier this February, software supply chain security firm Phylum uncovered a set of malicious packages on the npm registry that delivered the same malware families to siphon sensitive information from compromised developer systems.

然后在今年2月，软件供应链安全公司Phylum 在npm注册表上发现了一组恶意软件包，这些软件包将相同的恶意软件系列传送到受损的开发人员系统中，以窃取敏感信息。

It's worth noting that Contagious Interview is said to be disparate from Operation Dream Job (aka DeathNote or NukeSped), with Unit 42 telling The Hacker News that the former is "focused on targeting developers, mainly through fake identities in freelance job portals, and the next stages involve the use of developer tools and npm packages leading to [...] BeaverTail and InvisibleFerret."

值得注意的是，Contagious Interview 与 Operation Dream Job（又称 DeathNote 或 NukeSped）是不同的，Unit 42 告诉 The Hacker News，前者"专注于针对开发人员，主要是通过自由职业者职位门户网站上的虚假身份，接下来的阶段涉及使用开发人员工具和npm软件包导致 BeaverTail 和 InvisibleFerret。"

Operation Dream Job, linked to the prolific Lazarus Group from North Korea, is a long-running offensive campaign that sends unsuspecting professionals employed in various sectors like aerospace, cryptocurrency, defense, and others malicious files dressed as job offers to distribute malware.

Operation Dream Job，与来自朝鲜的 prolific Lazarus Group 相关联，是一个长期运行的攻击活动，通过将伪装成工作机会的恶意文件发送给各个领域的无意识专业人员，如航空航天，加密货币，国防等，以分发恶意软件。

First uncovered by Israeli cybersecurity firm ClearSky at the start of 2020, it also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.

首次是由以色列网络安全公司ClearSky 在2020年初发现的，它还与两个其他 Lazarus 集群，即 Operation In(ter)ception 和 Operation North Star 有重叠。

The attack chain detailed by Securonix starts with a ZIP archive hosted on GitHub that's likely sent to the target as part of the interview. Present within the file is a seemingly innocuous npm module that harbors a malicious JavaScript file codenamed BeaverTail that acts as an information stealer and a loader for a Python backdoor called InvisibleFerret that's retrieved from a remote server.

Securonix 描述的攻击链始于一个托管在 GitHub 上的 ZIP 存档，很可能作为面试的一部分发送给目标。文件中包含一个看似无害的npm模块，其中包含一个恶意的 JavaScript 文件，代号为 BeaverTail，充当信息窃取器，并用于从远程服务器检索的名为 InvisibleFerret 的 Python 后门的加载器。

The implant, besides gathering system information, is capable of command execution, file enumeration and exfiltration, and clipboard and keystroke logging.

该植入物除了收集系统信息外，还能执行命令，列举和外泄文件，以及记录剪贴板和键盘击键。

The development is a sign that North Korean threat actors continue to hone a raft of weapons for their cyber attack arsenal, consistently updating their tradecraft with improved abilities to hide their actions and blend in on host systems and networks, not to mention siphon off data and turn compromises into financial gain.

这一发展表明，朝鲜威胁行动者继续磨练一系列武器，不断更新其技艺，以提高隐藏行动和融入主机系统和网络的能力，更不用说窃取数据并将妥协转化为财务收益。

"When it comes to attacks which originate through social engineering, it's critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews," Securonix researchers said.

"在通过社会工程起源的攻击中，保持以安全为重点的思维至关重要，特别是在像工作面试这样的紧张和压力情况下，" Securonix 研究人员说。

"The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state."

"DEV#POPPER 活动背后的攻击者利用这一点，知道对方处于高度分心和更加脆弱的状态。"

参考资料

[1]https://thehackernews.com/2024/04/bogus-npm-packages-used-to-trick.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：软件开发者被骗安装恶意软件的虚假npm包