FRESH

Hacker News

The Blueprint of a North Korean Attack on Open-Source

27 points by brene

by RugZug

0 subcomment

The website loads for a second and then

  Application error: a client-side exception has occurred while loading casco.com (see the browser console for more information).

by brene

2 subcomments

Author here. We were analyzing a compromised contributor account targeting better-auth when we noticed something interesting about the attack vector. Most coverage of supply chain attacks focuses on the "what happened" but I wanted to document the "how it actually works" with the deobfuscated code.
Wwo things stood out: 1. hiding the payload in next.config.mjs is clever because GitHub's UI truncates long lines so the malicious string is literally invisible when scrolling through the file. second, storing the c2 payload on binance smart chain means theres no server to take down. The axios attack was mitigated by removing the GitHub-hosted payload. This one can't be.
2. found 30+ repos with the same signature string. Pretty sure there's way more we didn't catch with basic string matching.
happy to answer questions about the deobfuscation process or the c2 protocol analysis.

by iannacl

1 subcomments

The blockchain angle to circumvent takedowns of the payload hosting here is really interesting.

by rafaveira3

0 subcomment