The Blueprint of a North Korean Attack on Open-Source (casco.com)

The article describes how North Korean attackers used a supply-chain attack against JavaScript open-source projects by smuggling obfuscated malware into a seemingly legitimate pull request that modified build configuration files. The malicious code runs during npm build/dev/CI, decodes multi-stage payloads, pulls additional stages from blockchain “dead drops,” and then establishes command-and-control to execute arbitrary commands via a “zombie” process. It also discusses how GitHub’s default PR views can hide dangerous changes after merging, and provides a technical breakdown of the malware’s obfuscation and execution flow.