Sophisticated Ongoing Attack on NPM Exposed

Supposedly North Korean nation-state actors have been targeting the supply chain of the NPM ecosystem. Lots of details in the article.

This part is interesting:

As mentioned above, this attack chain is spread across a pair of packages and the order in which these packages need to be installed is important. This is because the first package will fetch a token from one of several potential remote servers and store it within a subdirectory of the user's home directory, such as <usersHomeDir>/.config/npmcache.

Subsequently, the second package utilizes this token to acquire another script from the remote server. Given this workflow, it's crucial that each package in a pair is executed sequentially, in the correct order, and on the same machine to ensure successful operation.

We still aren't sure exactly what this attack was trying to do, but splitting up the payload into two packages is a clever way to avoid detection.

Reminds me of the BadgerDAO attack from earlier this year, and the Newegg attack from 2018.