AI Security AI安全 4d ago Updated 4d ago 更新于 4天前 49

North Korean Hackers Target Open Source Developers in Supply Chain Attacks 朝鲜黑客针对开源开发者发动供应链攻击

North Korean threat actors are executing a sophisticated supply chain attack named PolinRider, targeting open-source developers via compromised GitHub repositories. The campaign injects obfuscated JavaScript loaders into packages on NPM, Packagist, Go modules, and Chrome extensions to deliver DEV#POPPER RAT and OmniStealer malware. Attackers utilize account compromise, Git history rewriting to hide malicious commits, and blockchain/RPC infrastructure for payload retrieval, affecting over 100 uni 朝鲜黑客组织通过名为 PolinRider 的活动,针对开源软件开发者发起供应链攻击,自2025年12月起持续进行。 攻击者利用被入侵的 GitHub 仓库注入 JavaScript 加载器,分发 DEV#POPPER 远程访问木马(RAT)和 OmniStealer 信息窃取工具。 该活动是更广泛的“Contagious Interview”行动的一部分,目标涵盖 NPM、Packagist、Go 模块及 Chrome 扩展程序。 截至报告发布,已识别出 108 个唯一包中的 162 个恶意发布工件,攻击者通过重写 Git 历史来掩盖恶意更改的时间线。 受影响环境应被视为已受损,建议从干净的

75
Hot 热度
65
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • North Korean threat actors are executing a sophisticated supply chain attack named PolinRider, targeting open-source developers via compromised GitHub repositories.
  • The campaign injects obfuscated JavaScript loaders into packages on NPM, Packagist, Go modules, and Chrome extensions to deliver DEV#POPPER RAT and OmniStealer malware.
  • Attackers utilize account compromise, Git history rewriting to hide malicious commits, and blockchain/RPC infrastructure for payload retrieval, affecting over 100 unique packages.
  • Remediation requires treating all affected environments as compromised and performing security reviews from clean machines due to potential credential exposure.

Why It Matters

This incident highlights the critical vulnerability of open-source ecosystems to state-sponsored supply chain attacks, demonstrating how threat actors leverage developer trust and complex build pipelines to distribute malware. For AI practitioners and software engineers, it underscores the necessity of rigorous dependency auditing and secure credential management, as compromised tools can lead to widespread data exfiltration and infrastructure takeover.

Technical Details

  • Malware Delivery: Compromised repositories contain obfuscated JavaScript loaders that fetch encrypted payloads from blockchain networks and public RPC endpoints, delivering the DEV#POPPER remote access trojan and OmniStealer information stealer.
  • Evasion Techniques: Attackers use Git history rewriting to make malicious injections appear as older, legitimate commits, and hide loaders in configuration files to bypass initial cleanup efforts.
  • Scope: Socket identified 162 malicious release artifacts across 108 unique packages, targeting major registries including NPM, Packagist, Go modules, and Chrome extensions.
  • Targeted Infrastructure: The campaign exploits maintainer account compromises to directly tamper with legitimate repositories, ensuring high visibility and trust among downstream users.

Industry Insight

  • Organizations must implement strict automated scanning for anomalous Git history changes and unexpected network calls from build scripts, particularly those involving blockchain or RPC connections.
  • Security teams should enforce zero-trust principles for development environments, assuming that any installed package from a compromised registry may have already exfiltrated credentials, necessitating immediate rotation from isolated, clean systems.
  • The persistence of such campaigns indicates a need for enhanced collaboration between package maintainers, registry operators, and security firms to detect and mitigate supply chain intrusions before widespread distribution occurs.

TL;DR

  • 朝鲜黑客组织通过名为 PolinRider 的活动,针对开源软件开发者发起供应链攻击,自2025年12月起持续进行。
  • 攻击者利用被入侵的 GitHub 仓库注入 JavaScript 加载器,分发 DEV#POPPER 远程访问木马(RAT)和 OmniStealer 信息窃取工具。
  • 该活动是更广泛的“Contagious Interview”行动的一部分,目标涵盖 NPM、Packagist、Go 模块及 Chrome 扩展程序。
  • 截至报告发布,已识别出 108 个唯一包中的 162 个恶意发布工件,攻击者通过重写 Git 历史来掩盖恶意更改的时间线。
  • 受影响环境应被视为已受损,建议从干净的设备上进行补救,以防止包注册表、源代码及 CI/CD 凭据泄露。

为什么值得看

这篇文章揭示了针对开源生态系统的国家级网络威胁的最新演变,特别是攻击者如何利用开发者信任机制和供应链漏洞进行大规模渗透。对于安全从业者和开源维护者而言,了解此类攻击的具体技术细节(如 Git 历史重写和配置文件中隐藏载荷)对于构建更有效的检测和防御策略至关重要。

技术解析

  • 攻击载体与工具:攻击者通过篡改维护者账户,在合法仓库中推送包含混淆 JavaScript 加载器的恶意包。这些加载器连接至区块链和公共 RPC 基础设施以检索加密载荷,最终部署 DEV#POPPER RAT 和 OmniStealer 信息窃取器。
  • 规避检测手段:黑客利用 Git 历史重写技术,将恶意更改标记为较早的历史记录,从而绕过基于时间线的代码审查和安全扫描工具,增加了溯源和检测的难度。
  • 多平台覆盖:攻击范围不仅限于 GitHub,还扩展至 Packagist(PHP 包注册表),其中 sevenspan 命名空间下的多个包被入侵,且恶意加载器隐藏在配置文件中,导致清理操作未能完全识别威胁。
  • 影响规模:Socket 安全团队已确认 108 个独特软件包中存在 162 个恶意发布版本,且随着活动持续,预计受影响数量将继续增加。

行业启示

  • 强化供应链安全审计:开源项目维护者需实施更严格的访问控制和多因素认证,并定期审查仓库的历史提交记录,以检测异常的时间戳修改或未经授权的变更。
  • 零信任环境假设:企业应假设任何安装过可疑开源包的开发者工作站可能已被完全控制,必须从隔离的干净环境中进行凭据轮换和系统恢复,而非直接在受感染主机上操作。
  • 监控第三方依赖风险:开发团队需加强对 NPM、Packagist 等包注册表中依赖项的实时监控,特别是对于小众或维护不活跃的包,应建立自动化的恶意行为检测机制。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Open Source 开源 Security 安全