DPRK Operators Lean on AI-Generated npm Payloads and Shell Companies in Latest Campaign
Original source
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
The Hacker News →North Korean threat actors have refreshed their developer-targeting playbook, pushing malicious npm packages whose payloads show fingerprints of AI-assisted authoring. The packages drop remote access trojans onto contributor machines, extending the DPRK’s long-running pattern of poisoning the JavaScript supply chain to reach engineers at crypto and Web3 firms.
The operation pairs the package drops with a network of fake corporate fronts used to recruit, contract, and onboard targets — a tradecraft layer that turns ordinary hiring funnels and freelance pipelines into delivery vectors. Once a developer installs a tainted dependency or runs a coding-test repo from one of the shell firms, the RAT establishes persistence and harvests credentials, wallets, and source.
The shift to AI-generated obfuscation matters because it lowers the marginal cost of churning out unique malicious package variants faster than registry defenders can triage them. Combined with social-engineering infrastructure that mimics legitimate startups, the campaign continues to bypass code-review intuition that depends on spotting human-authored sloppiness.
Read the full article
Continue reading at The Hacker News →This is an AI-generated summary. Read the original for the full story.