Malware
Beavertail
IoCs CSV
2 YARA rules
Indicators of Compromise 17
Domain jsonkeeper.com GitHub Repo OpenSourceMalware GitHub Repo marketfront IP 142.93.211.30 IP 216.126.236.244 Package events-runtime Package express-session-js Package npm:rollup-polyfill Package o3forms Package quirky-token Package react-icon-svgs Package rollup-packages-polyfill-core Package rollup-plugin-polyfill-connect Package rollup-runtime-polyfill-core Package security-alerts-sdk Package swift-parse-stream Registry User marketfront
MITRE ATT&CK TTPs 17
T1003 T1005 T1027 T1056.001 T1056.002 T1059.001 T1059.007 T1071 T1071.001 T1071.003 T1082 T1114 T1195.002 T1482 T1490 T1555 T1566
OS Credential Dumping
Credential Access
Data from Local System
Collection
Obfuscated Files or Information
Defense Evasion
Keylogging
Collection
GUI Input Capture
Collection
PowerShell
Execution
JavaScript
Execution
Application Layer Protocol
Command And Control
Web Protocols
Command And Control
Mail Protocols
Command And Control
System Information Discovery
Discovery
Email Collection
Collection
Compromise Software Supply Chain
Initial Access
Domain Trust Discovery
Discovery
Inhibit System Recovery
Impact
Credentials from Password Stores
Credential Access
Phishing
Initial Access
YARA Detection Rules
Beavertail_YARA_Detection
yara ai_generated
rule Beavertail_Detection {
meta:
description = "Detects presence of Beavertail malware used in npm supply chain attacks by Lazarus-linked actors"
author = "AI Generated"
threat_actor = "Lazarus"
malware_family = "Beavertail"
ttps = "T1195.002, T1555, T1059.007, T1071.001, T1027, T1082, T1005, T1566, T1071, T1114, T1056.002, T1056.001"
ioc_domains = "jsonkeeper.com"
ioc_ips = "216.126.236.244, 142.93.211.30"
ioc_packages = "rollup-packages-polyfill-core, rollup-runtime-polyfill-core, quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, swift-parse-stream, express-session-js, security-alerts-sdk, events-runtime, o3forms"
ioc_github = "marketfront"
ioc_registry_user = "marketfront"
strings:
$pkg1 = "rollup-packages-polyfill-core" ascii wide
$pkg2 = "rollup-runtime-polyfill-core" ascii wide
$pkg3 = "quirky-token" ascii wide
$pkg4 = "react-icon-svgs" ascii wide
$pkg5 = "rollup-plugin-polyfill-connect" ascii wide
$pkg6 = "swift-parse-stream" ascii wide
$pkg7 = "express-session-js" ascii wide
$pkg8 = "security-alerts-sdk" ascii wide
$pkg9 = "events-runtime" ascii wide
$pkg10 = "o3forms" ascii wide
$repo_url = "github.com/marketfront" ascii wide nocase
$registry_user = "npmjs.com/~marketfront" ascii wide
$malicious_domain = "jsonkeeper.com" ascii wide nocase
$exfil_ip1 = "216.126.236.244" ascii wide
$exfil_ip2 = "142.93.211.30" ascii wide
$cmd_exec = "child_process.exec" ascii wide
$cmd_spawn = "child_process.spawn" ascii wide
$env_collect = "$env" ascii wide
$credential_files = "package-lock.json" ascii wide
$credential_files2 = ".npmrc" ascii wide
$credential_files3 = ".git-credentials" ascii wide
$credential_files4 = "id_rsa" ascii wide
$exfiltrate_func = "uploadData" ascii wide
$beacon_func = "sendHeartbeat" ascii wide
$interactive_shell = "createInteractiveShell" ascii wide
$anti_sandbox1 = "process.env.CI" ascii wide
$anti_sandbox2 = "require('vm')" ascii wide
$anti_sandbox3 = "isDocker" ascii wide
condition:
uint8(0) == 0x7f and uint8(1) == 0x45 and uint8(2) == 0x4c and uint8(3) == 0x46
or
uint16(0) == 0x4d5a or uint16(0) == 0x5a4d
or
(any of ($pkg*) or $registry_user or $repo_url) and
($malicious_domain or $exfil_ip1 or $exfil_ip2) and
($cmd_exec or $cmd_spawn or $interactive_shell) and
($credential_files or $credential_files2 or $credential_files3 or $credential_files4) and
($exfiltrate_func or $beacon_func) and
($anti_sandbox1 or $anti_sandbox2 or $anti_sandbox3)
} Beavertail_YARA_Detection
yara ai_generated
rule Beavertail_Detection {
meta:
description = "Detects Beavertail malware associated with North Korean threat actors in the PolinRider operation targeting cryptocurrency developers"
author = "AI Generated"
threat_actor = "Contagious Interview"
campaign = "PolinRider"
malware_family = "Beavertail"
ttps = "T1059.001, T1071.003, T1003, T1482, T1490"
ioc_package = "npm:rollup-polyfill"
ioc_github = "OpenSourceMalware"
strings:
$s1 = "eval" wide ascii
$s2 = "Function" wide ascii
$s3 = "atob" wide ascii
$s4 = "process.binding" wide ascii
$s5 = "child_process" wide ascii
$s6 = "exec" wide ascii
$s7 = "setInterval" wide ascii
$s8 = "WebSocket" wide ascii
$s9 = "crypto" wide ascii
$s10 = "require" wide ascii
$s11 = "vscode" wide ascii
$s12 = "tasks.json" wide ascii
$s13 = "runCommand" wide ascii
$s14 = "git push" wide ascii
$s15 = "origin main --force" wide ascii
$s16 = "localStorage" wide ascii
$s17 = "location.href" wide ascii
$s18 = "chrome-extension" wide ascii
$s19 = "getEnvironmentVariable" wide ascii
$s20 = "decodeURIComponent" wide ascii
$m1 = "function decryptPayload" wide ascii
$m2 = "fetch(\"https://api.github.com/repos/OpenSourceMalware" wide ascii
$m3 = "npm:rollup-polyfill" wide ascii
$m4 = "malicious task" wide ascii nocase
$m5 = "auto-push" wide ascii nocase
condition:
uint8(0) == 0x7F and uint32(1) == 0x454C46 and $s10 and $m3 or
(any of ($s*) or any of ($m*)) and
(filesize < 500KB) and
(uint8(0) == 0x2F and uint8(1) == 0x2A or uint8(0) == 0x3C and uint8(1) == 0x21 or uint8(0) == 0x66 and $s1) ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.
Source Articles
North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets
North Korean threat actors have been linked to a software supply chain attack involving malicious npm packages that impersonate legitimate Rollup polyfill tools. The packages, such as 'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core', install secondary-stage malicious dependencies to steal developer secrets and enable remote access. The malware evades analysis environments, exfiltrates credentials, and supports interactive command execution, targeting developer workstations and CI/CD systems. This activity mirrors previous Lazarus-linked campaigns exploiting npm for credential theft.
hacker-news ·1d ago
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
North Korean threat actors associated with the Contagious Interview campaign have launched the PolinRider operation, distributing 108 malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome. The attack targets developers in the cryptocurrency sector through social engineering, compromising maintainer accounts to inject obfuscated JavaScript payloads into legitimate repositories. These payloads deliver second-stage malware such as DEV#POPPER RAT and OmniStealer by leveraging blockchain infrastructure and malicious VS Code task files, while using Git history manipulation to evade detection.
hacker-news ·1d ago