PANews reported on March 3 that the GoPlus Chinese community issued a warning on the X platform stating that North Korean hackers released a set of 26 malware packages to the npm registry. These packages all include an installation script ("install.js"), which executes automatically during package installation, running malicious code located in "vendor/scrypt-js/version.js". This malicious code downloads and executes a Remote Access Trojan (RAT) via a malicious URL, performing actions such as keylogging, clipboard theft, browser credential collection, TruffleHog secret scanning of Git repositories, and SSH key theft. This incident is related to a North Korean hacking activity called "Famous Chollima".
Users and developers are advised to carefully check the source and security of software packages before installation to avoid the following 26 types of malware, which could lead to privacy breaches or asset losses:
- argonist@0.41.0
- bcryptance@6.5.2
- bee-quarl@2.1.2
- bubble-core@6.26.2
- corstoken@2.14.7
- daytonjs@1.11.20
- ether-lint@5.9.4
- expressjs-lint@5.3.2
- fastify-lint@5.8.0
- formmiderable@3.5.7
- hapi-lint@19.1.2
- iosysredis@5.13.2
- jslint-config@10.22.2
- jsnwebapptoken@8.40.2
- kafkajs-lint@2.21.3
- loadash-lint@4.17.24
- mqttoken@5.40.2
- prism-lint@7.4.2
- promanage@6.0.21
- sequelization@6.40.2
- typoriem@0.4.17
- undicy-lint@7.23.1
- uuindex@13.1.0
- vitetest-lint@4.1.21
- windowston@3.19.2
- zoddle@4.4.2
