🗄️ Assets

DPRK Scales npm Malware Campaign With AI-Generated Code, Fake Tech Firms, and Remote RAT Deployment

North Korean threat actors have launched a new wave of npm supply chain attacks using AI-generated malicious package code that bypasses static analysis tools, fake software development firms as cover identities, and a multi-stage RAT that exfiltrates source code, cryptographic keys, and credentials from developer workstations. The campaign targets blockchain, DeFi, and fintech developers — organisations in these sectors should audit npm dependencies and developer machine security.

5 min read
#dprk#north-korea#npm#supply-chain#ai-generated-malware#source-code-theft#crypto-theft#rat

North Korean state-sponsored threat actors — tracked by researchers as an offshoot of the Lazarus Group cluster — have launched a significantly evolved npm supply chain campaign that uses AI-generated malicious package code, fabricated technology company identities as publisher cover, and a remote access trojan specifically engineered to exfiltrate intellectual property from developer workstations. The campaign represents a meaningful escalation in the technical sophistication of DPRK supply chain operations, and its focus on source code, cryptographic wallet keys, and developer credentials reflects the regime’s established priority of currency theft and IP acquisition.

What’s New in This Campaign Wave

Previous DPRK npm campaigns — including the Contagious Interview series and Sapphire Sleet’s axios package compromise — relied on relatively straightforward malicious packages that were identifiable through static analysis. This new wave introduces three capabilities that change the detection calculus:

AI-generated obfuscation: The malicious npm packages in this campaign contain functional JavaScript code that appears to perform a legitimate utility purpose (a string formatting library, a date conversion utility, a cryptocurrency address validator). The code was identified by Socket Security’s analysis tools as AI-generated — it is well-structured, passes ESLint checks, includes meaningful variable names and comments, and would not trigger most automated static analysis rules that look for obfuscation patterns. The actual malicious payload is embedded in a dependency installed via a legitimate-looking postinstall chain.

Fake technology firm publisher identities: The packages are published under npm accounts belonging to what appear to be small technology firms — complete with GitHub organisation pages, a company website with generic developer tooling descriptions, and several months of plausible commit history. The organisations were registered specifically for this campaign and have no verifiable real-world presence. This mimics the way legitimate small development tooling companies publish packages, providing cover against “brand new account” heuristics.

Multi-stage RAT with IP-focused exfiltration: The payload establishes a persistent remote access trojan that specifically targets: Git repository contents and commit history, AWS/GCP/Azure credential files, SSH private keys, cryptocurrency wallet files (including hardware wallet seed phrase storage locations used by common desktop wallet applications), environment variable files, and .npmrc files containing private registry authentication tokens. Unlike broad credential stealers, this RAT’s exfiltration priority list reflects a targeted interest in cryptographic assets and source code — consistent with established DPRK financial theft and IP acquisition objectives.

Targeted Sector

The campaign specifically targets blockchain protocol development teams, decentralised finance (DeFi) projects, cryptocurrency exchange development shops, and fintech companies building on smart contract platforms. The package names and described utilities reference Ethereum development tooling, Solana program frameworks, and cross-chain bridge development. This targeting is consistent with DPRK’s well-documented strategy of compromising cryptocurrency infrastructure to generate hard currency for the regime.

At least 14 malicious packages from this campaign have been identified and removed from the npm registry. Packages received between 800 and 12,000 downloads each during the window they were live. Not all downloads result in payload execution, as the malicious behaviour requires specific runtime conditions, but any installation on a developer workstation handling cryptocurrency keys or source code is a high-severity exposure.

Enterprise and Development Team Impact

The campaign’s IP-theft focus makes it directly relevant to the asset security perspective:

Source code as a primary target: The RAT’s Git repository exfiltration targets the organisation’s most sensitive intellectual property. For fintech and blockchain companies, source code for smart contracts, proprietary trading algorithms, and cryptographic protocol implementations represents assets whose theft provides both direct financial exploitation value and competitive intelligence.

Cryptographic key theft enables direct financial losses: Private keys exfiltrated from developer workstations that have ever handled cryptocurrency wallets — including hardware wallet management applications — can enable immediate theft of digital assets. Several confirmed incidents in prior DPRK campaign waves resulted in multi-million dollar losses from developer machine key theft.

npm token exfiltration enables further supply chain propagation: .npmrc authentication tokens stolen from developer machines can be used to publish additional malicious packages under the victim organisation’s own npm identity — extending the attack to the organisation’s downstream users.

  • Audit recently installed npm packages — review package-lock.json and node_modules for packages installed in the past 30 days, particularly in any projects related to blockchain, DeFi, or cryptocurrency. Use npm audit and cross-reference with Socket Security’s detection feed or similar supply chain analysis tools.
  • Enforce npm provenance and publisher verification — require --provenance flag and verified publisher attestation for new package additions to critical projects; consider using npm pack and manual review before installing unfamiliar packages.
  • Protect cryptocurrency keys from developer workstations — hardware wallet seed phrases and private keys should never be stored on developer machines; enforce this policy across all development team members and audit for exceptions.
  • Restrict .npmrc token scope — issue project-scoped npm publish tokens rather than account-level tokens; rotate all npm authentication tokens for developers working on cryptocurrency-adjacent projects.
  • Apply filesystem monitoring for exfiltration-typical patterns — configure EDR or DLP tools to alert on bulk reads of ~/.ssh/, ~/.aws/credentials, cryptocurrency wallet directories, and .env files, particularly when followed by outbound network connections.

Share this article