{
	"id": "73cfb8f4-1fe3-4d2f-96f2-00ae2ab0bccb",
	"created_at": "2026-04-06T00:08:16.549667Z",
	"updated_at": "2026-04-10T03:38:20.796711Z",
	"deleted_at": null,
	"sha1_hash": "c50b1749b87753e0c54b8f8a4b5eaff0faafab3a",
	"title": "Security alert: social engineering campaign targets technology industry employees",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68073,
	"plain_text": "Security alert: social engineering campaign targets technology\r\nindustry employees\r\nBy Alexis Wales\r\nPublished: 2023-07-18 · Archived: 2026-04-05 21:19:07 UTC\r\nGitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees\r\nof technology firms, using a combination of repository invitations and malicious npm package dependencies.\r\nMany of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A\r\nfew targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in\r\nthis campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this\r\nthreat actor. \r\nThreat actor profile\r\nWe assess with high confidence that this campaign is associated with a group operating in support of North\r\nKorean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S.\r\nCybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with\r\ncryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.\r\nAttack chain\r\nThe attack chain operates as follows:\r\n1. Jade Sleet impersonates a developer or recruiter by creating one or more fake persona accounts on GitHub\r\nand other social media providers. Thus far, we have identified fake personas that operated on LinkedIn,\r\nSlack, and Telegram. In some cases these are fake personas; in other cases, they use legitimate accounts\r\nthat have been taken over by Jade Sleet. The actor may initiate contact on one platform and then attempt to\r\nmove the conversation to another platform.\r\n2. After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub\r\nrepository and convinces the target to clone and execute its contents. The GitHub repository may be public\r\nor private. The GitHub repository contains software that includes malicious npm dependencies. Some\r\nsoftware themes used by the threat actor include media players and cryptocurrency trading tools.\r\n3. The malicious npm packages act as first-stage malware that downloads and executes second-stage malware\r\non the victim’s machine. Domains used for the second-stage download are listed below.\r\nThe threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation,\r\nminimizing the exposure of the new malicious package to scrutiny.\r\nIn some cases, the actor may deliver the malicious software directly on a messaging or file sharing platform,\r\nbypassing the repository invitation/clone step. \r\nhttps://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/\r\nPage 1 of 5\n\nThe mechanics of the first-stage malware are described in detail in a blog by Phylum Security.\r\nPhylum’s work, conducted completely independent of GitHub, mirrors our own research. \r\nWhat GitHub is doing\r\nWe have suspended npm and GitHub accounts associated with the campaign.\r\nWe are publishing indicators below.\r\nWe have filed abuse reports with domain hosts in cases where the domain was still available at time of\r\ndetection.\r\nWhat you can do\r\nIf you were solicited, by anyone, to clone or download content associated with one of the accounts noted\r\nbelow, then you were targeted by this campaign.\r\nYou can review your security log for action:repo.add_member events to determine if you ever accepted\r\nan invite to a repository from one of the accounts noted below.\r\nBe wary of social media solicitations to collaborate on or install npm packages or software that depends on\r\nthem, particularly if you are associated with one of the targeted industry sectors listed above.\r\nExamine dependencies and installation scripts. Very recently published, net-new packages, or scripts or\r\ndependencies that make network connections during installation should receive extra scrutiny.\r\nIf you were targeted by the campaign, we recommend you contact your employer’s cybersecurity\r\ndepartment.\r\nIf you executed any content as a result of this campaign, it may be prudent to reset or wipe potentially\r\naffected devices, change account passwords, and rotate sensitive credentials/tokens stored on the\r\npotentially affected device. \r\nIndicators\r\nDomains\r\nnpmjscloud[.]com\r\nnpmrepos[.]com\r\ncryptopriceoffer[.]com\r\ntradingprice[.]net\r\nnpmjsregister[.]com\r\nbi2price[.]com\r\nnpmaudit[.]com\r\ncoingeckoprice[.]com\r\nMalicious npm packages\r\nassets-graph\r\nassets-table\r\nhttps://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/\r\nPage 2 of 5\n\naudit-ejs\r\naudit-vue\r\nbinance-prices\r\ncoingecko-prices\r\nbtc-web3\r\ncache-react\r\ncache-vue\r\nchart-tablejs\r\nchart-vxe\r\ncouchcache-audit\r\nejs-audit\r\nelliptic-helper\r\nelliptic-parser\r\neth-api-node\r\njpeg-metadata\r\nother-web3\r\nprice-fetch\r\nprice-record\r\nsnykaudit-helper\r\nsync-http-api\r\nsync-https-api\r\ntslib-react\r\ntslib-util\r\nttf-metadata\r\nvue-audit\r\nvue-gws\r\nvuewjs\r\nMalicious GitHub accounts\r\nGalaxyStarTeam\r\nCryptowares\r\nCryptoinnowise\r\nnetgolden\r\nMalicious npm accounts\r\ncharlestom2023\r\neflodzumibreathbn\r\ngalaxystardev\r\ngarik.khasmatulin.76\r\nhydsapprokoennl\r\nleimudkegoraie3\r\nhttps://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/\r\nPage 3 of 5\n\nleshakov-mikhail\r\nlinglidekili9g\r\nmashulya.bakhromkina\r\nmayvilkushiot\r\noutmentsurehauw3\r\npaupadanberk\r\npormokaiprevdz\r\npodomarev.goga\r\nteticseidiff51\r\ntoimanswotsuphous\r\nufbejishisol\r\nExternal References\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nhttps://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/\r\nWritten by\r\nRelated posts\r\nExplore more from GitHub\r\nDocs\r\nEverything you need to master GitHub, all in one place.\r\nGo to Docs\r\nThe ReadME Project\r\nStories and voices from the developer community.\r\nLearn more\r\nhttps://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/\r\nPage 4 of 5\n\nGitHub Advanced Security\r\nSecure your code without disrupting innovation.\r\nLearn more\r\nEnterprise content\r\nExecutive insights, curated just for you\r\nGet started\r\nSource: https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/\r\nhttps://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/"
	],
	"report_names": [
		"2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees"
	],
	"threat_actors": [
		{
			"id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce",
			"created_at": "2023-11-08T02:00:07.144995Z",
			"updated_at": "2026-04-10T02:00:03.425891Z",
			"deleted_at": null,
			"main_name": "TraderTraitor",
			"aliases": [
				"Pukchong",
				"Jade Sleet",
				"UNC4899"
			],
			"source_name": "MISPGALAXY:TraderTraitor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f32df445-9fb4-4234-99e0-3561f6498e4e",
			"created_at": "2022-10-25T16:07:23.756373Z",
			"updated_at": "2026-04-10T02:00:04.739611Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"APT-C-26",
				"ATK 3",
				"Appleworm",
				"Citrine Sleet",
				"DEV-0139",
				"Diamond Sleet",
				"G0032",
				"Gleaming Pisces",
				"Gods Apostles",
				"Gods Disciples",
				"Group 77",
				"Guardians of Peace",
				"Hastati Group",
				"Hidden Cobra",
				"ITG03",
				"Jade Sleet",
				"Labyrinth Chollima",
				"Lazarus Group",
				"NewRomanic Cyber Army Team",
				"Operation 99",
				"Operation AppleJeus",
				"Operation AppleJeus sequel",
				"Operation Blockbuster: Breach of Sony Pictures Entertainment",
				"Operation CryptoCore",
				"Operation Dream Job",
				"Operation Dream Magic",
				"Operation Flame",
				"Operation GhostSecret",
				"Operation In(ter)caption",
				"Operation LolZarus",
				"Operation Marstech Mayhem",
				"Operation No Pineapple!",
				"Operation North Star",
				"Operation Phantom Circuit",
				"Operation Sharpshooter",
				"Operation SyncHole",
				"Operation Ten Days of Rain / DarkSeoul",
				"Operation Troy",
				"SectorA01",
				"Slow Pisces",
				"TA404",
				"TraderTraitor",
				"UNC2970",
				"UNC4034",
				"UNC4736",
				"UNC4899",
				"UNC577",
				"Whois Hacking Team"
			],
			"source_name": "ETDA:Lazarus Group",
			"tools": [
				"3CX Backdoor",
				"3Rat Client",
				"3proxy",
				"AIRDRY",
				"ARTFULPIE",
				"ATMDtrack",
				"AlphaNC",
				"Alreay",
				"Andaratm",
				"AngryRebel",
				"AppleJeus",
				"Aryan",
				"AuditCred",
				"BADCALL",
				"BISTROMATH",
				"BLINDINGCAN",
				"BTC Changer",
				"BUFFETLINE",
				"BanSwift",
				"Bankshot",
				"Bitrep",
				"Bitsran",
				"BlindToad",
				"Bookcode",
				"BootWreck",
				"BottomLoader",
				"Brambul",
				"BravoNC",
				"Breut",
				"COLDCAT",
				"COPPERHEDGE",
				"CROWDEDFLOUNDER",
				"Castov",
				"CheeseTray",
				"CleanToad",
				"ClientTraficForwarder",
				"CollectionRAT",
				"Concealment Troy",
				"Contopee",
				"CookieTime",
				"Cyruslish",
				"DAVESHELL",
				"DBLL Dropper",
				"DLRAT",
				"DRATzarus",
				"DRATzarus RAT",
				"Dacls",
				"Dacls RAT",
				"DarkComet",
				"DarkKomet",
				"DeltaCharlie",
				"DeltaNC",
				"Dembr",
				"Destover",
				"DoublePulsar",
				"Dozer",
				"Dtrack",
				"Duuzer",
				"DyePack",
				"ECCENTRICBANDWAGON",
				"ELECTRICFISH",
				"Escad",
				"EternalBlue",
				"FALLCHILL",
				"FYNLOS",
				"FallChill RAT",
				"Farfli",
				"Fimlis",
				"FoggyBrass",
				"FudModule",
				"Fynloski",
				"Gh0st RAT",
				"Ghost RAT",
				"Gopuram",
				"HARDRAIN",
				"HIDDEN COBRA RAT/Worm",
				"HLOADER",
				"HOOKSHOT",
				"HOPLIGHT",
				"HOTCROISSANT",
				"HOTWAX",
				"HTTP Troy",
				"Hawup",
				"Hawup RAT",
				"Hermes",
				"HotCroissant",
				"HotelAlfa",
				"Hotwax",
				"HtDnDownLoader",
				"Http Dr0pper",
				"ICONICSTEALER",
				"Joanap",
				"Jokra",
				"KANDYKORN",
				"KEYMARBLE",
				"Kaos",
				"KillDisk",
				"KillMBR",
				"Koredos",
				"Krademok",
				"LIGHTSHIFT",
				"LIGHTSHOW",
				"LOLBAS",
				"LOLBins",
				"Lazarus",
				"LightlessCan",
				"Living off the Land",
				"MATA",
				"MBRkiller",
				"MagicRAT",
				"Manuscrypt",
				"Mimail",
				"Mimikatz",
				"Moudour",
				"Mydoom",
				"Mydoor",
				"Mytob",
				"NACHOCHEESE",
				"NachoCheese",
				"NestEgg",
				"NickelLoader",
				"NineRAT",
				"Novarg",
				"NukeSped",
				"OpBlockBuster",
				"PCRat",
				"PEBBLEDASH",
				"PLANKWALK",
				"POOLRAT",
				"PSLogger",
				"PhanDoor",
				"Plink",
				"PondRAT",
				"PowerBrace",
				"PowerRatankba",
				"PowerShell RAT",
				"PowerSpritz",
				"PowerTask",
				"Preft",
				"ProcDump",
				"Proxysvc",
				"PuTTY Link",
				"QUICKRIDE",
				"QUICKRIDE.POWER",
				"Quickcafe",
				"QuiteRAT",
				"R-C1",
				"ROptimizer",
				"Ratabanka",
				"RatabankaPOS",
				"Ratankba",
				"RatankbaPOS",
				"RawDisk",
				"RedShawl",
				"Rifdoor",
				"Rising Sun",
				"Romeo-CoreOne",
				"RomeoAlfa",
				"RomeoBravo",
				"RomeoCharlie",
				"RomeoCore",
				"RomeoDelta",
				"RomeoEcho",
				"RomeoFoxtrot",
				"RomeoGolf",
				"RomeoHotel",
				"RomeoMike",
				"RomeoNovember",
				"RomeoWhiskey",
				"Romeos",
				"RustBucket",
				"SHADYCAT",
				"SHARPKNOT",
				"SIGFLIP",
				"SIMPLESEA",
				"SLICKSHOES",
				"SORRYBRUTE",
				"SUDDENICON",
				"SUGARLOADER",
				"SheepRAT",
				"SierraAlfa",
				"SierraBravo",
				"SierraCharlie",
				"SierraJuliett-MikeOne",
				"SierraJuliett-MikeTwo",
				"SimpleTea",
				"SimplexTea",
				"SmallTiger",
				"Stunnel",
				"TAINTEDSCRIBE",
				"TAXHAUL",
				"TFlower",
				"TOUCHKEY",
				"TOUCHMOVE",
				"TOUCHSHIFT",
				"TOUCHSHOT",
				"TWOPENCE",
				"TYPEFRAME",
				"Tdrop",
				"Tdrop2",
				"ThreatNeedle",
				"Tiger RAT",
				"TigerRAT",
				"Trojan Manuscript",
				"Troy",
				"TroyRAT",
				"VEILEDSIGNAL",
				"VHD",
				"VHD Ransomware",
				"VIVACIOUSGIFT",
				"VSingle",
				"ValeforBeta",
				"Volgmer",
				"Vyveva",
				"W1_RAT",
				"Wana Decrypt0r",
				"WanaCry",
				"WanaCrypt",
				"WanaCrypt0r",
				"WannaCry",
				"WannaCrypt",
				"WannaCryptor",
				"WbBot",
				"Wcry",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"WinorDLL64",
				"Winsec",
				"WolfRAT",
				"Wormhole",
				"YamaBot",
				"Yort",
				"ZetaNile",
				"concealment_troy",
				"http_troy",
				"httpdr0pper",
				"httpdropper",
				"klovbot",
				"sRDI"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434096,
	"ts_updated_at": 1775792300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c50b1749b87753e0c54b8f8a4b5eaff0faafab3a.pdf",
		"text": "https://archive.orkl.eu/c50b1749b87753e0c54b8f8a4b5eaff0faafab3a.txt",
		"img": "https://archive.orkl.eu/c50b1749b87753e0c54b8f8a4b5eaff0faafab3a.jpg"
	}
}