Software developers are the target of a sophisticated supply chain attack by North Korea's Lazarus Group under the "Fake Font" campaign This article explores opensourcemalware malicious repositories. . Threat actors are tricking engineers into downloading code that contains hidden malware by using phony job interviews and malicious GitHub repositories.

With 19 repositories identified as part of the operation, this campaign, which started more than a hundred days ago, has recently gotten more intense. Learn more about exploitation Tools for remote access Exploitation of password managers Tools for cloud security Training servers for cloud security awareness Network of Zero Trust Obtain solutions VPN services In the end, the malware installs the InvisibleFerret Python backdoor, which is intended to steal browser credentials, cryptocurrency wallets, and long-term access to compromised computers.

False Font (Source: OpenSourceMalware) The attack starts on LinkedIn, where developers are contacted by phony recruiters from fintech and cryptocurrency companies. They pretend to be hiring managers who are impressed by the target's GitHub profile and ask them to finish a quick coding test. Links to seemingly authentic repositories with standard web project structures, React frontends, Node.js backends, appropriate documentation, and CI/CD configurations are sent to developers.

19 repositories on GitHub (Source: OpenSourceMalware) The malicious repositories are hard to tell apart from legitimate projects at first glance because of their authentic appearance. The campaign's mechanism was discovered and recorded by OpenSourceMalware analysts. The attack takes advantage of the task automation feature of Microsoft Visual Studio Code, which developers frequently use to run tests and create projects.

Learn more about the Zero Trust Network Obtain solutions Software for endpoint detection and response Solutions for data security Solutions for network security Training in security awareness Plugin for WordPress security Training in cybersecurity classes Security software for macOS Software for detecting cyber malware Every malicious repository contains a hidden.vscode/tasks.json file that is set up to run automatically when the folder is opened in Visual Studio Code. Mechanism of infection JavaScript malware is disguised as web font files with.woff2 extensions as part of the infection mechanism. The malicious task, which uses Node.js to run the fake font file, is automatically launched by VS Code when a developer opens the repository.

This sets off a multi-stage loader that, while mostly undetectable to the user, runs the malware. The task configuration's presentation settings conceal any output windows, making it challenging to identify the attack.

This campaign is especially risky because it takes advantage of the legitimate trust that developers have in open-source repositories and development tools. With font files that precisely match the anticipated project layout for web applications using Font Awesome icons, the repository structure appears entirely normal. There are no obvious signs that developers are installing malware when they clone these repositories for a job assessment.

The campaign serves as an example of how attackers are constantly improving their methods for getting around security measures. Lazarus Group effectively targets a high-value audience with access to sensitive systems and cryptocurrency assets by combining social engineering, supply chain vulnerabilities, and tool-specific features. To find possible compromises from this campaign, security teams should promptly examine VS Code configurations and GitHub repository access throughout their companies.

Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.