Popular software development and management firm, GitHub, issued a security warning about a new low-volume social engineering scam aimed at tech industry professionals.
In this new scam, the actors start by impersonating a developer or recruiter through various websites including LinkedIn, Telegram, and Slack. While these personas are usually fake, sometimes they steal legitimate accounts and pretend to be them.
In both situations, the hacker may attempt to use a different communication platform to continue the conversation.
The goal of whatever communication they use is to invite the recipient to be a collaborator on a GitHub repository project. After accepting, the recipient is asked to clone and execute its contents, injecting malware onto their devices, which deploys further stages of malware.
It’s worth noting, that in some cases the malware comes from a link sent during the messaging portion of the process, before introducing the GitHub repository.
“We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the US Cybersecurity and Infrastructure Security Agency (CISA),” says GitHub in a recent security advisory.
Many of the individuals targeted were connected to blockchain, cryptocurrency, or online gambling sectors, but there were a few cybersecurity personnel targeted as well. In response, GitHub suspended npm and GitHub accounts associated with the hack, as well as filed abuse reports with the domain names that were still available.
They recommend anyone who believes they may have been infected to change their passwords, rotate their sensitive credentials, and even reset or wipe their system depending on the severity.
They also recommend being careful of verifying who you’re talking to before clicking links or moving to an outside service and being wary of collaboration requests that request you to download additional software.