Cyber Security Threat Summary:
GitHub has identified a low-volume social engineering campaign targeting personal accounts of employees in technology firms. The attackers use GitHub repository invitations and malicious npm package dependencies. The targets are often associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors. The threat actor behind this campaign is likely linked to North Korean objectives and has been identified as Jade Sleet or TraderTraitor.

Security Officer Comments:
The attack operates by impersonating developers or recruiters on platforms like GitHub, LinkedIn, Slack, and Telegram. They invite targets to collaborate on a repository containing malicious npm packages, acting as first-stage malware, which then downloads and executes second-stage malware on the victim's machine.

Suggested Correction(s):
GitHub has suspended associated npm and GitHub accounts and filed abuse reports with domain hosts. Users are advised to review security logs, be cautious of social media solicitations, and examine dependencies and installation scripts for scrutiny. Those targeted should contact their employer's cybersecurity department and consider resetting devices, changing passwords, and rotating sensitive credentials/tokens if they executed any content from the campaign. They are IOCS available via GitHub’s official posting.

Link(s):
https://github.blog/