BLOG
The OpenSourceMalware Show #10
Version sandwiching, blockchain C2 reuse, cross-ecosystem attacks, dynamic imports, and payload splitting
By cb482791-4ef1-4762-96ad-b0ca4bdd538e ·
The OpenSourceMalware Show is available on YouTube, LinkedIn, and as a podcast.
This week we talked about:
DPRK Lazarus Group trends in software supply chain malware: Three active techniques he’s observing from North Korea’s Lazarus Group. The first is “version sandwiching,” where threat actors publish benign versions of a package before and after a malicious one, then pin their delivery mechanism to the malicious version so scanners checking the latest release see nothing wrong. The second is their continued reuse of Aptos, Tron, and Binance BSC blockchain addresses as mutable C2 infrastructure, which allows defenders to tie disparate campaigns to the same threat actor. The third is human-readable campaign name strings embedded in payloads, functioning like UTM tags and likely reflecting internal tracking within Lazarus subgroups.
General supply chain threat landscape: Cross-ecosystem attacks, once limited to nation-state actors, are now being executed by low-sophistication crews using vibe coding tools to quickly port payloads across npm, PyPI, and other registries simultaneously. Package clusters, where only one or two packages in a published group carry the actual payload, have become standard operating procedure across threat actors of all levels. Dynamic imports and payload splitting are also on the rise, bypassing package managers and firewalls by pulling dependencies from URLs at runtime or distributing payload components across multiple files.
Episode Resources
(Video) How malicious packages on npm bypass existing security tools
(Video) Poisoned Packages and Stolen Secrets: The Rise of Supply Chain Attacks
[00:00:00] Jenn Gile: Uh. Okay. Uh, it is Wednesday, June 24th. Paul and I are recording a day early for purely selfish reasons. I have plans to go hiking in the Oregon Cascades with my family. And so yeah Uh, life trumps work, but we still have a great show. Uh, perhaps we’ll even be around to chat during it. We’ll see if we can make that happen.
[00:00:26] Jenn Gile: Um, we have quite the, uh, roundup of things to talk about before we get into our main topics, but I’ll give you the teasers so you know that you have to stick around. Uh, first of all, we’re gonna be talking about North Korean state, uh, threat actor trends, so specific to Lazarus Group in software supply chain malware right now.
[00:00:49] Jenn Gile: Uh, we tend to see that they are the innovators in this space. They’re continuing to innovate. Um, so we’re gonna talk about what we’ve been seeing, and then we’ll get into some general observations we have about what’s going on in the supply chain world. But before we get into that, um, some, I guess, events, news to share.
[00:01:12] Jenn Gile: Uh, Paul, why don’t you talk about the SANS podcast that you’re gonna be on, which by the time this airs, the podcast will have, I believe, already aired, but people can catch it on demand.
[00:01:22] Paul McCarty: Yeah, depending on what time we… They might be, might even be competing. I don’t know. Oh, no, it’ll be ear- earlier than that.
[00:01:27] Paul McCarty: I think it’s an
[00:01:28] Jenn Gile: hour earlier.
[00:01:29] Paul McCarty: Yeah, it’s 5:45. I’m, I’m starting out with 5:45 my time, so that shows you my commitment, y’all. All right?
[00:01:35] Jenn Gile: Bright and
[00:01:35] Paul McCarty: early. Um, yeah, no, I had a great conversation with, um, with Sean O’Connor from SANS. Um, he knows, um, uh, one of my good friends, Thomas Roccia, um, really well, and they’ve been working together for a while.
[00:01:49] Paul McCarty: And, um, and, uh, yeah, just, uh, looking forward to talking at a very… Like, this is great 'cause it’s gonna be an hour, um, and it’s gonna be really technical, and we’re gonna be talking about… I sent you, Jen, the agenda, um, that we’re gonna be talking about. Um, so lot of emphasis… We’re gonna talk about, unfortunately, Team p- Team PCP in, in DPRK, of course, um, but going into more detail than I often can, which I’m, I’m super excited about.
[00:02:17] Jenn Gile: Yeah, so, uh, for anyone who’s gonna be looking it up, we’ll have the link in the show notes, but this is the th- SANS Threat Rundown Analysis. The name of the episode has some lovely alliteration in it, “Poisoned Packages and Stolen Secrets.” I love it. Uh, the Rise- … of Supply Chain Attacks.
[00:02:35] Paul McCarty: SANS post actually didn’t include my name, and so I saw Sean send, send an email today saying, “Yo, what’s, what’s up with Paul’s name not, not being in that?”
[00:02:43] Paul McCarty: But anyhow.
[00:02:44] Jenn Gile: That’s okay. We’ll make sure everyone knows you’re there. Uh, okay. What else is going on? Um, in the next couple of weeks, uh, we’ve had interest in bringing our first guest on this podcast/livestream. Um, we had somebody from OpenVSX reach out, so we’re working on the logistics right now. But if you have burning questions about OpenVSX specific to malware and supply chain security or just general security about that ecosystem- Uh, would love for you to send those to us in advance to help us build kind of our, you know, run of show, 'cause otherwise it’ll just be Paul and I grilling this person.
[00:03:27] Jenn Gile: Um, kidding. We’re gonna be really nice, and we’re very excited- … to have them interested in coming on.
[00:03:32] Paul McCarty: Well, we’re gonna ask some probing questions too as well, right? Like-
[00:03:35] Jenn Gile: Oh, of course.
[00:03:36] Paul McCarty: Yeah.
[00:03:36] Jenn Gile: I’m not saying we’re gonna throw softballs, but though, let’s be honest, I don’t know if you’ve been hit with a softball, but those things are hard.
[00:03:44] Paul McCarty: They are hard. Yeah, getting hit by any, yeah, in the face especially. Um, hey, real quick, I wanna make one correction r- kind of related to the OpenVSX thing. When we were talking about, um, Microsoft VS Code marketplace, um, a couple of episodes ago, I said something which, basically I don’t have the quote in front of me, but basically I said something along the lines of Microsoft is pretty proactive about scanning VS Code extensions inside of their marketplace, and I should not have said that because I don’t actually know that.
[00:04:18] Paul McCarty: I think many of the things that get turned into Microsoft are, y- you know, this is what kicks things off rather than this proactive scanning that I kind of alluded to that I don’t actually have proof of that exists. Um, so I wanna make that correction. I think it’s less Microsoft being proactive and more, you know, people just turning these things in when they find that they’re malicious.
[00:04:42] Jenn Gile: Yeah. So I think we’ll learn a bit more about, uh, how things go on, uh, behind the curtain, so to speak, in a couple of weeks. So, uh, keep an eye out for that announcement, and again, uh, drop us notes in the comments, DM us on our LinkedIn. Let us know what you wanna hear about from this person. Um, and then what else?
[00:05:03] Jenn Gile: Oh, yeah, no big deal. Uh, we’re gonna be speaking at DEF CON, uh, in the Villages. So we have two, uh, talks accepted. Um, the first is going to be a two-hour workshop with the Adversary Village. It’s titled Hunting GitHub to Identify Adversary TTPs in the Wild. Uh, let’s pause before we talk about the other one.
[00:05:24] Jenn Gile: Paul, this is a topic you’re pretty passionate about. It’s based on techniques that you have, uh, used in your own hunts. So talk a little bit about- Yeah … why we’re doing this workshop.
[00:05:37] Paul McCarty: Yeah, I mean, really, honestly, you know, we thought when we partnered with ABX and the Adversary Village team, um, and we did a version of this at RSA as well, but this one will be updated.
[00:05:47] Paul McCarty: Um, actually BSides, we did RSA and BSides, um- You’re right, yeah … San Francisco, yeah. Um, but yeah, what this is, is this teaches a, a set of relatively simplistic techniques to look into forward hunt in GitHub, looking for those adversary TTPs that, you know, when the, when the bomb maker is making the precursors, this is the metaphor I always return to, you know, making the bomb and, you know, they have to gather together the precursors to make the bomb.
[00:06:16] Paul McCarty: You can identify those ahead of time in GitHub if you know what to look for. And, um, so I’ve been using these in production for years and years and years myself to find this stuff, and now we’re gonna be showing other people how to do this. And this is, um, I also did an all-day training based on this at Melbourne BSides in May.
[00:06:34] Paul McCarty: Um, so this is a, this is a technique and a process that’s near and dear to my heart.
[00:06:39] Jenn Gile: Yeah. ABX does a great job with the Adversary Village, so we’re excited to be there. And then I will be on the AppSec Village stage. Mm-hmm. Um, whoop whoop. Let me go back to the name of my talk because I forgot what it is.
[00:06:51] Jenn Gile: Um, my talk is How Malicious AI Skills Hijack Your Agents. Um, this is a talk that I developed earlier this year, and excited to bring it to DEF CON. It has a lot of the research that we’ve been doing at Open Source Malware in it. Uh, it kind of explains why skills are such a tasty target for malicious threat actors.
[00:07:15] Jenn Gile: Uh, well, I guess all threat actors are malicious, but you know what I mean. And, um, what you can do to protect yourself. So if you’re going to DEF CON 34, let us know. Again, the schedule is not out yet, uh, but we’ll be there. And then maybe, uh, we’re still kinda in the early planning stages. We’d really like to do an Open Source Malware meetup of some kind.
[00:07:37] Jenn Gile: So if you’re interested in that, um, you know, let us know. Keep following us on LinkedIn. We’ll, we’ll share more details about that later.
[00:07:45] Paul McCarty: I, I just wanna jump in here. I’m going off, off script. I, I’ve been wanting to do this thing in my head where we do like a CTF kind of thing inside of OSM. I know.
[00:07:54] Jenn Gile: I really wanna do it.
[00:07:55] Paul McCarty: Yeah. So I, I might put something like that together that leads up to the day where we have, you know, this happy hour or whatever we end up doing during Hacker Summer Camp. But, um, we’ve got some swag as well, so, um, we’ll do something. I’ve already started reaching out to some of the homies.
[00:08:10] Jenn Gile: Nice. Okay. Now time to get into the meat.
DEF CON 33 Recap and Attacker Bypass Techniques
[00:08:13] Jenn Gile: Um, you’ve got in our show notes a note about your DEF CON 33 talk. So why don’t we start there? What did you talk about at DEF CON last year? Why is it relevant for what we’re gonna talk about today?
[00:08:25] Paul McCarty: Yeah, I mean, I’ll, I’m in the guts of, you know, open source malware, software supply chain malware every single day. Like, literally every day I’m in the guts of malware looking at it, you know, de-obfuscating it, doing stuff with it.
[00:08:34] Paul McCarty: So I get to see these kind of themes up close and personal. I’m at the coal face. Um, God, I shouldn’t use that as such a dumb term. But anyhow, um, the w- you know, DPRK, North Korea- And I was talking to Thomas yesterday about this at lunch. They just innovate so much, and you don’t hear about them because there’s the team PCPs and all these other squeaky wheels, right?
[00:08:45] Paul McCarty: That wasn’t the whole title, but anyhow. That’s a terrible title. That’s… I need to workshop that. It’s already happened, Paul. Um- You need to go ask Claude for
[00:08:53] Jenn Gile: some help.
[00:08:56] Paul McCarty: Um, uh, well, if I could get Claude to do anything security related, I’d, I would. Um, oh, yeah- Oh … so basically it was just about how, how threat actors, you know, bypass security tools to get malware into NPM.
[00:09:09] Paul McCarty: Um, and you could also make this argument about, 'cause I talked a bit about PyPi too as well. And now of course we’ve ex- expanded that to, um, to talk about the VS Code marketplace and AI skills and all these other places where we’re finding, um, this stuff. But yeah, there, it was pretty technical talk. I had a lot of great people in the audience.
[00:09:25] Paul McCarty: I had Adnan Khan and Ronnie Carda and some of the critical thinking peeps, and it was just a really cool group of people. We all went outside afterwards, outside the room, when the next talk kicked on, and we just had this like 15 or 20 people all sitting around in a circle talking. It was just, like, magical.
[00:09:40] Paul McCarty: I loved it. It was just so much fun. But the reason it’s important for, um, for this conversation we’re gonna have here is because a lot of things I talk about in that talk are things that bad guys are now doing, which is not surprising, right? As we create resistance inside of NPM with cool down periods and with, you know, getting rid of these kind of, um, dynamic and GitHub, sorry, Git, um, dependencies inside the package manifests, bad guys are gonna use these other techniques and that’s what we wanna talk about today.
[00:10:09] Jenn Gile: Yeah. So, uh, top of the list we’ve been teasing it for a couple weeks now is what’s going on with Lazarus Group. Um, this is the, the Paul show. Why don’t you share what you’ve been seeing?
DPRK Lazarus Group Trends in Software Supply Chain Malware
Sandwiching Malicious Versions
[00:10:23] Paul McCarty: Yeah, I mean, I’ll, I’m in the guts of, you know, open source malware, software supply chain malware every single day. Like, literally every day I’m in the guts of malware looking at it, you know, de-obfuscating it, doing stuff with it.
[00:10:34] Paul McCarty: So I get to see these kind of themes up close and personal. I’m at the coal face. Um, but anyhow, um, DPRK, North Korea- And I was talking to Thomas yesterday about this at lunch. They just innovate so much, and you don’t hear about them because there’s the team PCPs and all these other squeaky wheels, right?
[00:10:57] Paul McCarty: But the reality is that DPRK stole over $2 billion last year in crypto. You know, using contagious interview and the processes around contagious interview that have evolved. And so some of those things that we’re seeing now are them, you know, finding unique ways to, um, to hide malware with this increased visibility on especially the NPM ecosystem.
[00:11:18] Paul McCarty: So the first thing that I wanna talk about is something that I talked about in my talk at DEF CON last year, which is when a bad guy is deploying a new, a net new, this is not a, this is not an account, uh, compromise style takeover. This is a net new, it was, this package is published by a bad guy, and it was always intended to do a bad thing, right?
[00:11:40] Paul McCarty: What will happen is the first version will not be malicious. The second version might not be malicious. The third version might not be malicious. And at some point, they add a malicious payload. But here’s the thing, then they add another benign version after that. So what’s happened is they’ve sandwiched the- It’s a sandwich
[00:11:59] Paul McCarty: it’s a sandwich, right? It’s a, it’s a reverse… Oh, I, I won’t say that, but it’s a reverse sandwich. I almost said reverse sandwich, where the good, the benign versions are, you know, sandwiching the malicious payload. And, you know, bad guys have been doing this for ages. DPRK has been doing this for ages, but it’s now become like a motion that they’re doing almost all the time, or, or a lot.
[00:12:21] Paul McCarty: They’re certainly doing it a lot. So here’s the thing is that if you scan the latest version of a package and it’s benign, you know, and you have an, you know, something has flagged it as potentially malicious, maybe go back and look at some of those versions in the middle too as well. I- it happens all the time in our analyses that, you know, you see the last one is fine.
[00:12:40] Paul McCarty: You
[00:12:40] Jenn Gile: know? Yeah. I think maybe it would be helpful for people who are not software developers, or as you like to say, in the software sausage, to explain, uh, what mechanisms is this taken advantage of? Uh, why does this work, uh, both in terms of tricking, let’s say NPM, but also tricking the consumer?
[00:13:04] Paul McCarty: Yeah, that’s, that’s a good observation to talk about.
[00:13:06] Paul McCarty: So listen, the, you know, NPM has its own kind of iterative publishing process. When you do an NPM publish, you know, you publish a new version of it, and you can choose what version number to do, or you can leave that up to NPM. But, uh, what’s happening here is that they’re, the bad guys are using iterative publishing versions, right?
[00:13:28] Paul McCarty: Like 0.1.0, 0.1.1, you know, whatever they’re using, and they only add the malicious payload in the middle. Now, here’s the important thing is the last version they’ve published is the version that you’ll grab unless you specifically call the other one. And so they’re, the bad guys are leveraging this built-in behavior where if you call this package and you don’t specify the specific malicious version in the middle, you’re gonna get the benign version.
[00:13:58] Paul McCarty: You’re gonna scan it and say, “Oh, that’s okay.” And I see this, this simple trick bypass scanners all the time. You know, a lot of them are getting smarter, and they’re scanning every single version, right? But, um, the reality is that what the bad guys do then is that when they use that as a payload, they call it from another package, and they specifically call the malicious version of it, or they do something else that’s really unique is they quickly delete the more recent version, and the latest tag goes back to the old version and whoop.
[00:14:28] Paul McCarty: You know, I s- it’s- Mm-hmm … that last one, that former instance is much more rare, less common than the fact that they just pinned to the malicious version. So I… And this brings us to another thing, which is not only this- Well,
[00:14:40] Jenn Gile: and we saw something a little bit along this lines, uh, one or two weeks ago with the attack on Mastra or Maestra, where they published that EasyDay JS dependency.
[00:14:53] Jenn Gile: Right. The first version was clean, the second version was malicious, and what they did is they pinned it to the first version with a little caret, which meant you would always pull the latest. Now, uh- It just so happens that package is still live on npm right now, which that’s a whole other thing. But anyway- Yeah
[00:15:10] Jenn Gile: I digress. The be- So- The
[00:15:12] Paul McCarty: benign
[00:15:12] Jenn Gile: one is
[00:15:12] Paul McCarty: live, yeah … you know,
[00:15:13] Jenn Gile: just. Yeah.
[00:15:14] Paul McCarty: Yeah.
[00:15:15] Jenn Gile: Um- Yep … so, you know, they’re taking advantage of the various automations that are available both through npm and just how pulling dependency versions work in order to get you to pull a poisoned version without realizing.
[00:15:32] Paul McCarty: Yep. And so this brings us to the next, um, part of this, which is the bad guys will then use that, that, you know, that pack- that first package.
[00:15:41] Paul McCarty: They’ll call that package as a dependency from another package, right? Mm-hmm. And they’ll specifically pin that malicious version in that package. Um, so the, in this technique where you’re calling, w- we’re now, um, you know, when people deploy these clusters, which we’ll talk about in a second, the, the cluster u- usually only…
[00:15:59] Paul McCarty: Well, um, let me jump ahead to the cluster conversation 'cause it’ll just make itself self-obvious. Um, when bad guys are publishing now, they typically will publish in a cluster, and a cluster is anywhere from 2 to maybe 10 packages, and they, they typically will publish these clusters close together in time.
[00:16:17] Paul McCarty: So if you look at the publishing date, it’s, you know, relatively close together. And typically what happens is not all those payload, all those packages have malicious payloads in them. Four or six of them will call one or two of them that actually have the payload, right? Um, and what’s great about that is, let’s just say at some point in the future, a researcher like myself or somebody at Socket or, or Kedo or wherever else, you know, gets the malicious payload taken down off of npm.
[00:16:47] Paul McCarty: What they’ll do is they just convert one of the benign ver- versions that used to call that, and it will- Mm-hmm … uh, it’ll now take over as the ma- master payload or whatever, right? And these clusters, th- this is becoming, you know, the, the, the standard operating proce- the SOP for, for bad guys.
Reusing Blockchain Addresses as Infrastructure
[00:17:08] Jenn Gile: Yeah. All right.
[00:17:09] Jenn Gile: So your second thing in this list is about reusing pollen writer, aptos, and BSC keys. And before you get into it, uh, I just wanna share a little story. As you know, I’ve been working on some, uh, onboarding workflows for open source malware to just make it easier for people to, like, get started really fast.
[00:17:30] Jenn Gile: And, um, I have a list of the things we track, and crypto keys or crypto wallets are in that list, and I put it into the Claude, and I was kinda having it help me with some of the logic, and it said, "Oh, well, you know, crypto wallets don’t belong in this list because that’s really, you know, just for Bitcoin transactions.
[00:17:48] Jenn Gile: That’s not malicious." And I was like, "Ugh- No, you’re wrong, Claude
[00:17:54] Paul McCarty: Well, and it gets really murky, right? 'Cause neither you or I are crypto people, right? And so I- I’m the first to admit this, right? So, like, when Tron and Aptos came along, like, those are chains and, you know, they have … The, the reason that DPRK and other bad guys like those particular chains, there’s three chains that, that the bad guys really like.
[00:18:16] Paul McCarty: Aptos, Tron, and the Binance BSC one, and I don’t really understand- Mm-hmm … much about that one at all. Don’t really want to, but anyhow. Um, the reason they like those chains is because while the thing that is stored in the chain is immutable, which is the power of the blockchain, both of those have these kind of memo components which allow, which are, which are mutable, um, which you can change.
[00:18:41] Paul McCarty: And so what happens is when you make a transaction to, um, the Aptos or Tron, uh, chains, you know, the original thing that you stored there doesn’t change, which is usually just a benign thing, right? It’s just blah. It’s the, this, the little memo they’re using. So because of this, like, this, like, blockchain addresses and wallets, you know, it all kind of, like, is fuzzy and stuff.
[00:19:03] Paul McCarty: But the reality is that, to your point, bad guys are absolutely using this stuff as infra, and this gets us to the next point, which is for whatever reason, DPRK is reusing these specific, uh, block addresses, blockchain chain addresses, and using, continuing to reuse these memos, maybe because they’ve just used them in so many places.
[00:19:27] Paul McCarty: But they’re out there, and if you know how to call what’s in the memo, you can call it, and you can see what they’ve updated the most recent payload to, right? So that’s great. It’s just as a really s- Like, DPRK is really good at just burning down and rebuilding, and they use AI and automation to do this constantly.
[00:19:42] Paul McCarty: You know, me and all the other researchers- Mm-hmm … just see this constant flood of DPRK stuff. But the fact that they’re reusing these particular chains from February of 2026 is really interesting, 'cause it allows you to tie together, you know, disparate activities under the same threat actor. Um, and that’s absolutely why those chain addresses and those wallets and, you know, those things are in OSM.
[00:20:06] Paul McCarty: You know? These, these are the things that we pivot on.
[00:20:07] Jenn Gile: Yeah. I mean,
[00:20:07] Paul McCarty: if,
[00:20:09] Jenn Gile: if you were … Like, let’s, let’s take a, a step away from pivoting and research and talk about using it for alerting. You know, you and I have talked a lot about the incident response related use cases. Um- I don’t know if people are thinking about alerting based on a crypto transaction in their SIEM or whatever.
[00:20:31] Paul McCarty: Right.
[00:20:33] Jenn Gile: Yeah, well, I mean- So there’s new things to think about.
[00:20:36] Paul McCarty: Yeah, and at the very least, these are things that, you know, if you are, you know, a, a threat hunter, you know, uh, looking to, you know, you know, kind of expanding out to look at these things, OSM’s got a bunch of… got a couple hundred of these things in them, and we’re adding some, you know, almost every day.
[00:20:50] Paul McCarty: So, um, good thing to pivot on.
Campaign Naming Conventions
[00:20:53] Jenn Gile: Yeah. All right. Third in your list is, uh, new campaign names. Uh, talk us through why is this interesting?
[00:21:03] Paul McCarty: Oh, listen, DPRK and all the, all the, you know, big threat actors use campaign names, and just to kind of, like, talk about these, there’s the campaign names and, and, um, basically these are unique identifiers that DPRK will use.
[00:21:16] Paul McCarty: So a really good example of this is when you find, um, a, a payload in GitHub, typically in a VS Code tasks.json file, or wherever it is, but there’ll be, there’ll be three lines, whether it’s obfuscated or not, there’ll be three lines where it’s calling a Windows payload, a Linux payload, and a Mac payload, and each one of those has a little different designation, right?
[00:21:39] Paul McCarty: Whether that’s going through a shortener, it’s going directly to Vercel, or wherever it’s going, or an IP address, they’re differentiating that 'cause there’s different payloads. That’s one thing. What they do is they add in another thing, which is a campaign name so they can track it, and it’s, it’s kind of like anybody that’s done-
[00:21:55] Jenn Gile: It’s like, uh, what do they call it?
[00:21:57] Jenn Gile: You know, like the marketing thing.
[00:21:59] Paul McCarty: Yeah. That’s literally where I was going, like SEO GTM tags and stuff like that. Yeah,
[00:22:03] Jenn Gile: yeah.
[00:22:03] Paul McCarty: Yeah. URL tagging. Yeah, yeah. Um, and who knows… You know, we’ll never probably really know how these things map to indiv- But, you know, some people I’ve talked to say, “Oh yeah, we think it’s individuals inside of, you know, these groups,” right?
[00:22:18] Paul McCarty: That are tracking for KPIs or whatever, right? Like, like campaign 39186, you know, is, is performing- Gotta check the
[00:22:27] Jenn Gile: performance.
[00:22:27] Paul McCarty: Yeah. Right. You got, you got… You’re handing out bonuses at the end of the year, whether it’s in Pyongyang or, or, you know, wherever, in Russia somewhere, you, you know, you gotta know who to, to give your bonuses to, you know, your, your shining star, or your gold coin, your ch- challenge coin.
[00:22:41] Paul McCarty: What- whatever, whatever the incentive is. So what I started seeing, um, last month is these kind of sexy, um, campaign names, and I just included two here. Mm-hmm. Um, and I included it with the, um, with the packages that I found them in. But one of them was ace- a6-shadow-15, and then we found that one in the tailwind-color-shades NPM package.
[00:23:08] Paul McCarty: Um, a6-shadow-15. Now we found another one contemporaneously, um, in the s- in the secure-box NPM package, which was a6-orion-271. Now the funny thing is that you’ll see when DPRK spins up new endpoints, whether that’s in Vercel or wherever it is- They will often use those same numbers in the endpoint. So what you can do is you can begin to tie, like, a package to an endpoint to a campaign name, and you can kind of…
[00:23:38] Paul McCarty: And it’s not, you know, it’s amorphous and it’s mostly just their automation. Sometimes it works and sometimes it doesn’t. But it allows you to kind of tie together these things in this loose, you know, relatively loose abstraction, which is really cool. Would you say this
[00:23:49] Jenn Gile: is more of a research tactic, uh, rather than if you’re actively, I don’t know, uh, doing some kind of IR in your, in your organization?
[00:23:59] Jenn Gile: When would you do this?
[00:24:01] Paul McCarty: Yeah, I really wouldn’t use these as detection strings so much. I mean, they, uh… 'cause they’re just so granular. There’s just so many of them. Mm-hmm. Right? But absolutely in your research, you know, if you, if you’re collecting these things like I am, mwahaha, you know, you can begin to tie them together, you know, inside the, your graph fabric, whatever you’re using, right?
[00:24:19] Paul McCarty: To, to, to understand what these kind of loose… And then you can, you can gain insights by, like, okay, this is three NPM packages and then a PyPi package or whatever the case may be. You know, you can begin to gain some insights about what’s going on behind the scenes. So… And plus it just sounds cool.
[00:24:33] Paul McCarty: A6Shadow15.
[00:24:37] Paul McCarty: Why do they both say A6? Is that the same team? Is that the team name? I don’t know. And then the next one is their, their call sign. I’m, I’m just, I’m making all this up, right? The first one is team name, A6. The second one is their individual call sign. I’m Shadow. I’m Orion. I wanna be Mr. Pink. I wanna be Mr.
[00:24:52] Paul McCarty: Brown. Um, uh, Shadow and, and Orion, and then the last one, maybe that’s the sub-campaign name or, like, the individual payload, right? Which is something that you see a lot. Mm-hmm. They’ll tag the specific payload with a number or a, a unique identifier.
[00:25:07] Jenn Gile: Or they’ve got a random generator running.
[00:25:11] Paul McCarty: Could be that
[00:25:11] Jenn Gile: That’s not as fun
[00:25:13] Paul McCarty: Oh, they’re definitely randomly generating some of these things, like the numbers I think they’re picking.
[00:25:17] Paul McCarty: 'Cause you see the same numbers, 112 and 71
[00:25:21] Jenn Gile: and- Mm-hmm …
[00:25:21] Paul McCarty: 141, and you see the same numbers kind of coming up again, and they just randomly kind of associate them with other words. But in this case, I think it actually might mean something.
[00:25:30] Jenn Gile: Interesting. Uh, so is that all you’ve got on North Korea? You wanna move on to general stuff?
[00:25:36] Paul McCarty: Yeah, that’s it for DPRK. Let’s move on to general.
General Threat Landscape Observations
Cross-Ecosystem Malicious Packages
[00:25:39] Jenn Gile: All right. So this is kind of like zooming out. Some of this ties into what we just talked about with DPRK. Some of it is a little bit more unique. You’ve mentioned, uh, back at the top of the episode about, uh, cross-ecosystem malicious packages. This is definitely a trend we have really started to see heavily this year, and some of the research that I did earlier, uh, looking at the velocity of, uh, new NPM packages versus new PyPi packages malware in each, seeing those move at the same track.
[00:26:16] Jenn Gile: A lot of that, uh, velocity matching is because the threat actors are, you know, making it a little more ecosystem agnostic. They’ll get you regardless of where you are
[00:26:29] Paul McCarty: Yeah, 10-4. It makes sense, right? Spread the love. Um, so, or, I guess the opposite of love. Or sometimes. Um, whatever it is. Yeah, so I think the reason that Jen and I wanted to kinda separate these into two categories is because, um, you know, the, the greater threat actor, you know, threat actors are learning from whoever’s, you know, innovating the most, and so we saw this very…
[00:26:52] Paul McCarty: We’ve seen this a number of times with TeamPCP, Glassworm, and others, you know, using kind of things that DPRK Lazarus Group has been using. A really good example is the VS Code tasks.json file. Mm-hmm. That is now being used. That’s ubiquitous. Like, everybody’s using it, and they’re pa- they’re piling on.
[00:27:12] Paul McCarty: They’re using, you know, the tasks.json VS Code to also compromise, um, cursor, and Windsurf, and other applications that are built on top of VS Code, so it makes sense. But same thing with, you know, the, the canisters and a number of the other things that DPRK first innovated. We now see that being used in a broader context by more threat actors.
[00:27:32] Paul McCarty: And so some of those other things that we’ve seen is that just the fact that everybody is now building in more than one ecosystem, or almost everybody is building in one ecosystem. Used to just be the Glassworms and DPRK, and now that’s not the case. This week, I’ve been looking at a number of clusters from Chinese threat actors, Indonesian threat actors, and, and Russian threat actors.
[00:27:53] Paul McCarty: All three of these are low-end, low technical. These are not APTs. These are anti-APT groups that are using vibe coding to quickly build payloads in multiple languages that they can then apply to different package ecosystems, right? So you’re seeing… And if you, you know, if you burn down to the actual payloads, they’re typically either the same or very, very similar.
[00:28:13] Paul McCarty: Um, and they might use, you know, different, um, you know, PyPi will, will, they’ll detonate in a different way there than they will in other places. But this is something we’re now gonna see because of vibe coding, vibe hacking. We’ll see this across all stratuses of- Threat actors. The low crappy, you know, crappy ones all the way up to the nation states, so-
[00:28:35] Jenn Gile: I think it bears explicitly stating, um, what this is telling us, and, you know, I think most people understand this, is don’t just look at NPM.
[00:28:47] Jenn Gile: Um, I think we’ve been a little bit conditioned to see NPM as the sole problem or the sole source, and that has been somewhat true just based on sheer numbers, right? There’s hundreds of thousands of malicious package threat reports just at NPM. But, uh, if, for example, you’re only tracking malicious NPM packages even though you’re using other languages, then you’re leaving yourself open.
[00:29:14] Jenn Gile: And if you’re really focused on just the security improvements that are happening in the NPM ecosystem, like understand that those are not automatically the same in other ecosystems. So, for example, if you’re already using open source malware to find out the new NPM packages that we’ve added every day, you know, maybe add PyPI, maybe, maybe add VS Code.
[00:29:35] Jenn Gile: Think about, uh, broadening your, uh, data that you’re pulling in.
[00:29:41] Paul McCarty: Right. Um, yeah, 100%. I don’t have anything to add. Exactly.
Package Clusters and Dynamic Imports
[00:29:46] Jenn Gile: No notes. None. All right. Uh, you talked a little bit about clusters already in the context of DPRK. Do you have more to say on that?
[00:29:57] Paul McCarty: No, just again, this is something, the reason it’s in this category is because just everybody’s doing it now, right?
[00:30:02] Paul McCarty: It used to be that these, the DPRK would, you know, publish these kind of clusters together, and they’d have those campaign names and you, you know, you could tell kind of roughly what the abstraction is. Now everybody’s doing it. They’re all coming in these clusters and it makes sense. And they’re also modifying, not each one of the things, you know, the way that the benign package will call the malicious package, you know, changes, right?
[00:30:23] Paul McCarty: And we’re seeing a lot more… This isn’t on the list, but we’re seeing a lot more dynamic imports inside of the code rather than in the package manifest because the NPM Package Manager and the upgrades to the security around NPM Package Manager itself don’t help there at all. So we’re seeing more of this like very- Yeah, why don’t we
[00:30:42] Jenn Gile: pause on that?
[00:30:43] Jenn Gile: 'Cause I’m not sure, I’ve been hearing a lot of people talking about it, and I’m not sure everyone understands, again, if they’re not involved in software development, uh, how dynamic imports work. So let’s, let’s go a little deeper on that
[00:30:56] Paul McCarty: Yeah. Uh, so I like this. Um, so what, God, what was it? Today is Thursday here, so it would’ve been Monday or Tuesday my time here, um, I jumped in to, to look at a, uh, a user source code, and the first two lines I noticed in that, in this, this particular package repository were l- lines one and two were importing from URLs in the JavaScript additional JavaScript, right?
[00:31:27] Paul McCarty: And this is totally legitimate, happens all the time, these dynamic imports. When you basically, when, when, uh, a JavaScript file runs in your browser or in whatever V8 engine you’re using, it can call additional, uh, dependencies in the code from URLs. And guess what? Your package manager can’t find that.
[00:31:47] Paul McCarty: Your package firewall can’t find that.
[00:31:49] Jenn Gile: Mm-hmm.
[00:31:49] Paul McCarty: Your proxy can’t fire that. Artifactory can’t deal with that. Basically, none of the security tools that you’re using can help you with that. Like, it, there are things in the source code-
[00:31:59] Jenn Gile: It mirrors a lot of what we saw with malicious AI skills earlier in the year, where the skill itself is benign, but it’s saying- Mm-hmm
[00:32:07] Jenn Gile: “Hey, you need to go over to this outside thing to download the CLI or whatever.” Um, are you seeing this predominantly in JavaScript because of JavaScript’s tendency to bring all its friends?
[00:32:23] Paul McCarty: Yeah, I mean, I’m mostly seeing, and I’m, I’m seeing a lot of vibe coded apps, um, and that’s because- Mm,
[00:32:28] Jenn Gile: mm-hmm …
[00:32:28] Paul McCarty: they’re being written quickly, they’re not having a lot of oversight.
[00:32:32] Paul McCarty: Um, I’m seeing a lot in, you know, Lambdas and other kind of, um, you know, transient compute kind of, uh, code snippets. So these are things to look for. Uh, you know, I’m actually looking at, you know, building something to try to identify these things. Um, but just to say this very explicitly, as the NPM ecosystem adds protections around the package manager, right?
[00:32:58] Paul McCarty: And we’re all making a big deal about, you know, NPM version 12 coming with these things, and all those things are good. Again, these are all great things. Bad guys are going to find a way, and one of those ways is, is to drop or to leverage dynamic dependencies you’ve already got, um, or find some way to, to add some, um, you know, another way.
[00:33:18] Paul McCarty: Or here’s the other thing is a lot of these dynamic dependencies get pulled from CDNs that you’ve never heard of.
[00:33:24] Jenn Gile: Mm.
[00:33:25] Paul McCarty: Little known fact, there’s like 150 JavaScript CDNs just in China. These are all just, you know, managing the Chinese developer market, and they’re all kinds of crazy. And how would you know one URL is malicious versus, you know…
[00:33:41] Paul McCarty: Like, you just have no idea. And so you’ve got a piece of, you’ve got, you know, uh, some code of yours that is calling a dynamic dependency from something that, that is a CDN or ostensibly a CDN. You have no idea. So now you gotta go and research that thing. What is this, right? ESM.sh, what, what the hell is that, that…
[00:34:00] Paul McCarty: Oh, it turns out that’s legit. What about this next one? JS-deliver.com. Jsdeliver.com is legit, but JS-deliver, is that… Oh, shoot, that looks like that might be malicious, right?
[00:34:12] Jenn Gile: I have questions. Are you gonna go and- Um, and I’m just thinking about logistics here of, you know, okay, once, once you know what’s bad, um, what do you start labeling as malicious at that point?
[00:34:24] Jenn Gile: What do you start tracking? Do you track the package- Good question … that contains the dynamic dependency, which may or may not be intentionally sharing something malicious? Because as we know, there’s lots of stuff out there that wears, I don’t know, friendly hat, but has something else underneath. Do you track it as malicious URLs?
[00:34:49] Jenn Gile: How do you, what do you, what’s your thought? Like, how do you think you track this kind of stuff? How do you look for it?
[00:34:54] Paul McCarty: A- audience at home, this is not a setup. Like, this is Jen actually asking a question that we’ve never talked about before.
[00:35:00] Jenn Gile: Yeah,
[00:35:00] Paul McCarty: I don’t know. I don’t know. So, Je- Jen, in OSM, we actually do both.
[00:35:03] Paul McCarty: We track the in- that’s a great question. I’ve had to deal with this myself, because do I track the CDN? Yes, absolutely, I do. So for example, if I find that there’s a malicious CDN or something that has been consistently delivering, um, you know, malicious packages, I will add it, I or somebody else will add it to OSM as a top level domain, right?
[00:35:25] Paul McCarty: First. Second- Malicious
[00:35:27] Jenn Gile: domain category.
[00:35:28] Paul McCarty: Okay. Yes. Yes, ma’am. Second, when I found a specific payload, and I did this several times yesterday, of malicious, uh, payloads, I will add the full URL into OSM, um, because a lot of times that’s actually not a malicious CDN, it’s just a malicious payload being called from a CDN, right?
[00:35:46] Paul McCarty: Mm-hmm. And it’s, where it’s getting that, it’s getting that from GitHub somewhere, who knows where it’s getting from, like CodeBurger, who knows, right? But the point is that it’s serving it up to you, and some of these things are already pre-built as ESM modules, and some of them are, you know, j- there’s all kinds of different ways to do this.
[00:36:01] Paul McCarty: So you have to cover off both. And I ask you, audience, what security tool are you using right now that does both of those things, right? Protects you both from these, these domains that you’ve never heard about, these weird CDN or fake CDN, malicious CDNs, and the payloads themselves. That is a bad mofo.
[00:36:20] Jenn Gile: That’s no fun. Okay, last item on here, which I don’t think we’ve hit yet. Uh- We have not … but this falls into the category of, um, threat actors getting creative to evade detection, and this is the idea of splitting the payload into multiple pieces. Uh, and you’ve got an example here where, uh, you’re seeing it split into four pieces.
[00:36:44] Jenn Gile: The URL is in one JavaScript file, a protocol is in another JavaScript file, the path is in yet another, and the post is in yet another. Um- What are some examples, like, that you can share where you’ve seen this, you know, in reality? This is not a, a hypothetical researcher, “Well, they could do this,” kind of a thing.
[00:37:05] Jenn Gile: Nope.
Splitting Payloads Across Files
[00:37:06] Paul McCarty: No, I’ve seen this multiple times this week. Um, no, it happens quite frequently, um, and it’s gonna happen more and more, um, because there’s so many people that are analyzing, you know, packages as soon as they’re getting deployed. It makes sense for the bad guys to chunk up their payloads into separate pieces and then publish them, and then they either call things, you know, uh, via dependencies or find other ways to, to import- Are they,
[00:37:30] Jenn Gile: like, different functions in the same package, or are they- Oh, I
[00:37:34] Paul McCarty: see
[00:37:35] Jenn Gile: uh, like transitive dependencies? How are they-
[00:37:40] Paul McCarty: Good question …
[00:37:40] Jenn Gile: making the- Both … the lines connect? Both. Okay.
[00:37:43] Paul McCarty: Both. Yeah. It’s, it’s obviously easier when the pack- when the files are individual JavaScript files or TypeScript files inside of a package, right? They can just call each other from the code a- and, and bundle together the payload and, and away you go.
[00:37:57] Paul McCarty: But I am also seeing, at the same time, multiple packages. Say if we take one of our clusters, you know, let’s just say four packages, right? They’ll kind of chunk up the payload across those four packages, and they will then bring them together via depend- Now, that’s a much trickier thing. It’s much, you know, um, if one of those packages gets burned, gets- Yoinked
[00:38:18] Paul McCarty: sorry, removed. Yeah. Yoinked. Thank you. Gets yoinked. Suddenly, your payload, it no longer works, right? So it’s a trickier, um, uh, riskier thing for the bad guys to do. Very, very common for people to do this in individual, um, JavaScript files inside- Within a single … the same package.
[00:38:32] Jenn Gile: Yeah.
[00:38:33] Paul McCarty: Yeah. Very, very common- Mm
[00:38:34] Paul McCarty: to do that. Less common to do the other.
[00:38:37] Jenn Gile: Makes sense. Very, uh- That’s a good question. Yeah. I didn’t know. It’s worth asking. Yeah. Okay. That’s the end of our list of things. We’ve made it a little over our normal recording time, so I think this is probably a good place to stop. Uh, but yeah, this has been super interesting.
[00:38:52] Jenn Gile: Thanks for answering my questions, Paul.
[00:38:55] Paul McCarty: Yeah, no worries. Great questions, Jen.
[00:38:57] Jenn Gile: Happy to do it. All right. All right. Take care, everyone.
[00:38:59] Paul McCarty: All right, see you guys. Thanks for listening. Appreciate it. Bye-bye. Bye.