Security Alert: Social Engineering Campaign Targets Tech Employees

GitHub has identified a low-volume social engineering campaign that combined repository invites and malicious npm package dependencies to target the personal accounts of employees of technology companies. Many of these targeted accounts are connected to blockchain, cryptocurrencies, or the online gambling sector. There were also several targets related to the cybersecurity field. No GitHub or npm systems were compromised in this campaign. This blog post is published as a warning to customers to prevent exploitation by this threat actor.

Threat actor profile

We believe this campaign is related to a group known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), working in support of North Korea’s cause. We have a high degree of confidence that Jade Sleet primarily targets users associated with cryptocurrencies and other blockchain-related organizations, but also targets the vendors used by those companies.

attack chain

The attack chain works like this:

  1. Jade Sleet impersonates a developer or recruiter by creating one or more fake persona accounts on GitHub and other social media providers. So far, we have identified fake personas active on LinkedIn, Slack, and Telegram. In some cases, these are fake personas. They may also use legitimate accounts hijacked by Jade Sleet. An attacker may initiate contact on one platform and then attempt to move the conversation to another platform.
  2. After establishing contact with the target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its content. GitHub repositories can be public or private. A GitHub repository contains software with malicious npm dependencies. Software themes used by threat actors include media players and cryptocurrency trading tools.
  3. The malicious npm package acts as a first stage malware that downloads and executes second stage malware on the victim’s machine. The domains used for the second stage download are: are listed below.

Threat actors often publish malicious packages only by prolonging invitations to rogue repositories, minimizing the exposure of new malicious packages to scrutiny.

In some cases, an attacker may bypass the repository invite/clone procedure and deliver malicious software directly over a messaging or file sharing platform.

How the first stage malware works is detailed below. Blog by Phylum Security.

Phylum’s research is conducted entirely independently of GitHub and reflects our own research.

What GitHub does

  • We have terminated the npm and GitHub accounts associated with the campaign.
  • We publish the indicators below.
  • If the domain was still available at the time of detection, we submitted an abuse report to the domain host.

what you can do

  • You are eligible for this promotion if someone solicits you to clone or download content associated with any of the accounts listed below.
  • you can Check your security log for action:repo.add_member Browse the event to see if you accepted a repository invitation from one of the accounts listed below.
  • Beware of social media solicitations to collaborate or install npm packages or software that depends on them. Especially if you are involved in any of the above covered industry sectors.
  • Examine dependencies and installation scripts. Brand new packages that have been published recently, or scripts or dependencies that establish network connectivity during installation should receive special scrutiny.
  • If you are eligible for the campaign, we encourage you to contact your employer’s cybersecurity department.
  • Reset or wipe the potentially affected device, change account passwords, and sensitive credentials stored on the potentially affected device if you have run content as a result of this campaign; It might be wise to rotate the /token.



npm js cloud[.]Com
crypto price offers[.]Com
transaction price[.]Net
npmjs registration[.]Com
buy 2 price[.]Com
coin gecko price[.]Com

malicious npm package

asset graph
asset table
Audit view
binance price
coin gecko price
cache reaction
cache view
chart vxe
couch cash audit
ellipse helper
ellipse parser
jpeg metadata
price fetch
price record
Synchronous https-api
tslib react
vue – audit

Malicious GitHub account

galaxy star team
crypto innoise
net golden

malicious npm account

Charleston 2023
Ephrozumi Breathbun
galaxy star fat
Reimed Kegorie 3
Leshakov Mikhail
Phosphorus redekiri 9g
Mashrya Bakhromkina
Mayville Kusiotte
Outment sure how 3
Porumokai prevs
Podmarev. Gorga
Tetik Seidif 51
Toymans Wotsfoss



https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/ Security Alert: Social Engineering Campaign Targets Tech Employees

Show More
Back to top button