A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show.

The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils.

One of the packages in question, execution-time-async, masquerades as its legitimate counterpart execution-time, a library with more than 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code.

It "actually installs several malicious scripts including a cryptocurrency and credential stealer," Phylum said, describing the campaign as a software supply chain attack targeting developers. The package was downloaded 302 times since February 4, 2024, before being taken down.

In an interesting twist, the threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch next-stage payloads from a remote server, steal credentials from web browsers like Brave, Google Chrome, and Opera, and retrieve a Python script, which, in turn, downloads other scripts -

~/.n2/pay, which can run arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even delete itself ~/.n2/bow, which is a Python-based browser password stealer ~/.n2/adc, which installs AnyDesk on Windows Phylum said it identified comments in the source code ("/Users/ninoacuna/") that made it possible to track down a now-deleted GitHub profile with the same name ("Nino Acuna" or binaryExDev) containing a repository called File-Uploader.

Present within the repository were Python scripts referencing the same IP addresses (162.218.114[.]83 – subsequently changed to 45.61.169[.]99) used to fetch the aforementioned Python scripts.