GitHub Warns of Lazarus Group's Social Engineering Campaign Targeting Developers

GitHub recently issued a security alert warning of a social engineering campaign targeting developer accounts in the cryptocurrency, blockchain, cybersecurity, and online gambling domains.

The campaign, which has been linked to the infamous North Korean Lazarus hacking group, aims to infect their systems with malware. Lazarus is notorious for its high-profile attacks against cryptocurrency companies and cybersecurity researchers, intending to steal cryptocurrency and conduct cyber espionage.

“GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies,” reads GitHub’s security advisory.

The North Korean hackers have been reported to compromise legitimate accounts or create fake personas on GitHub and social media, masquerading as recruiters and developers. They initiate contact, often attempting to transition the conversation from one platform to another.

Once contact is established, the perpetrators lure the victims to collaborate on a GitHub repository, either public or private.

These repositories often contain malicious code embedded in software that includes harmful npm (JavaScript package manager) dependencies, commonly seen in media players and cryptocurrency trading tools.

Domains used for second-stage malware downloads include:

• npmjscloud[.]com
• npmrepos[.]com
• cryptopriceoffer[.]com
• tradingprice[.]net
• npmjsregister[.]com
• bi2price[.]com
• npmaudit[.]com
• coingeckoprice[.]com

The threat actors are cautious, refraining from publishing malicious packages if unsure of a hit to prevent unnecessarily exposing the malicious code and getting caught. However, they might attempt to deliver the malware directly on messaging or file-sharing platforms, bypassing the repository invitation/clone step.

GitHub has taken a series of steps to limit the harm done by this campaign, including:

• Suspension of npm and GitHub accounts associated with the campaign
• Publication of a list of indicators of compromise (IoC)
• Filing abuse reports with domain hosts if the rogue domain was still active at detection

Additionally, GitHub released a series of security recommendations for users to mitigate this malicious campaign:

• Be cautious if solicited to clone or download content associated with accounts listed in the advisory
• Review security logs for action:repo.add_member events to see if they've accepted an invite to a rogue repository
• Stay alert for suspicious social media solicitations to collaborate on or install npm packages or software that depends on them
• Contact your employer's cybersecurity department if targeted
• Reset or wipe potentially affected devices, change account passwords, and rotate sensitive credentials or tokens stored on the potentially affected devices

This campaign exposes the growing threats in the technology sector, particularly among crypto, blockchain, and cybersecurity domains. Developers and firms in these domains are advised to exercise caution and heed GitHub's recommendations to stay protected.

Using specialized software such as Bitdefender Ultimate Security can protect you against downloading and executing malicious code on your computer. Key features include:

• 24/7, comprehensive detection and protection against viruses, Trojans, worms, spyware, rootkits, zero-day exploits, ransomware, and other e-threats
• Behavioral detection module that closely monitors active apps and takes instant action upon detecting suspicious activity
• Network threat prevention technology that analyzes, detects, and blocks suspicious network-level activities, including sophisticated exploits, brute-force attacks, and malware- and botnet-related URLs