DPRK-linked (Famous Chollima) supply chain campaign targeting developers via npm, PyPI, and fake job interviews. MicrosoftSystem64 / js-logger-pack is attributed to this campaign cluster via the toskypi identity ([email protected]), jpeek account rotation (jpeek868/886/895), and shared Lordplay/system-releases HuggingFace infrastructure. Overlapping sub-campaigns: Contagious Trader (crypto trading lures), BigSquatRat (typosquats).
Objective
Cryptocurrency theft, developer credential harvesting, persistent remote access to developer workstations
Packages
Indicators
- domain api-sub.jrodacooker.devcommunicates-with
- domain huggingface.cocommunicates-with
- ipv4 195.201.194.107communicates-with
- sha256 a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490indicates
- sha256 6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3indicates
- sha256 571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7findicates
- sha256 585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eafindicates
- sha256 9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912indicates
- sha256 e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054indicates
- sha256 df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6indicates
- sha256 43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73indicates
- domain copilot-ai.whisdev.orgcommunicates-with
- sha256 b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97drops
- url https://huggingface.co/jpeek998/system-releases/resolve/maincommunicates-with
- url https://huggingface.co/Lordplay/system-releasescommunicates-with
- email [email protected]indicates
- file_path ~/.local/share/MicrosoftSystem64uses
- file_path ~/.pcl-state/uploads.jsonuses
- email [email protected]indicates
- url https://huggingface.co/jpeek998/linux_doc_75a5ffec36caexfiltrates-to
- domain sha256-validate-rpc.vercel.appexfiltrates-to
- domain changelog.restexfiltrates-to
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1552.004 Unsecured Credentials: Private Keysuses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1102 Web Serviceuses
- ttp T1546 Event Triggered Executionuses
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1053.005 Scheduled Task/Job: Scheduled Taskuses
- ttp T1543.004 Create or Modify System Process: Launch Daemonuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1059.004 Command and Scripting Interpreter: Unix Shelluses
- ttp Node.js Single Executable Application Packaginguses
- ttp T1027.013 Obfuscated Files or Information: Encrypted/Encoded Fileuses
- ttp T1078.001 Valid Accounts: Default Accountsuses
