GitHub warned about the spread of a social engineering campaign aimed at the personal accounts of employees of technology firms in the field of blockchain, cryptocurrency or online games.

Agency specialists CISA attributed this campaign to the North Korean group Jade Sleet (TraderTraitor). The group mainly targets users associated with cryptocurrencies and other blockchain-related entities, but also targets vendors of these firms.

The attack begins with the attacker creating fake accounts (or taking over existing ones) on GitHub and various social networks and instant messengers (LinkedIn*, Slack and Telegram), posing as a developer or company recruiter.

After contacting the victim, the attacker invites them to collaborate on a GitHub repository and convinces the target to clone and execute the content. However, the GitHub repo contains software that includes malicious npm dependencies. Some software topics include media players and cryptocurrency trading tools. The npm packages then download and run the malware on the victim’s device.

To avoid checking the package for malicious functions, the cybercriminal publishes the packages only when he invites the victim to the repository. In some cases, an attacker can deliver malware directly to the messenger, bypassing the stage of inviting/cloning the repository. At the moment, all malicious accounts are disabled.

Observed payloads include updated versions of Manuscrypt For macOS And Windowsa special remote access trojan (Remote Access Trojan, RAT) that collects system information, executes arbitrary commands, and downloads additional payloads. Previously, CISA experts attributed the use of the Manuscrypt tool to North Korean group Lazarus .

* The social network is prohibited on the territory of the Russian Federation.