The North Korean-linked Famous Chollima APT group exploited GitHub's infrastructure to distribute malicious NPM packages, targeting job seekers and organizations. By posing as legitimate recruiters, they tricked victims into downloading malware disguised as technical evaluation tools. The attack involved the InvisibleFerret backdoor, which established encrypted command-and-control communication, enabling data exfiltration and remote access. The campaign compromised software developers and IT professionals, leveraging their access to sensitive organizational resources. This breach highlights vulnerabilities in supply chain security and social engineering defenses within development communities.
Source: https://cybersecuritynews.com/famous-chollima-apt-hackers-attacking-job-seekers/
TPRM report: https://www.rankiteo.com/company/github
"id": "git233080925",
"linkid": "github",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Various',
'type': 'Individuals (job seekers, software '
'developers, IT professionals)'}],
'attack_vector': 'Social Engineering, Malicious NPM Packages',
'data_breach': {'data_encryption': 'XOR encryption',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Browser credentials'},
'date_detected': 'December 2022',
'description': 'North Korean-linked Famous Chollima APT group has emerged as '
'a sophisticated threat actor, orchestrating targeted '
'campaigns against job seekers and organizations through '
'deceptive recruitment processes. Active since December 2022, '
'this advanced persistent threat has developed an intricate '
'multi-stage attack methodology that exploits the trust '
'inherent in professional networking and job-seeking '
'activities.',
'impact': {'data_compromised': 'Browser credentials, remote command execution '
'capabilities',
'identity_theft_risk': 'High',
'systems_affected': 'Windows, Linux, macOS environments'},
'initial_access_broker': {'backdoors_established': 'InvisibleFerret backdoor',
'entry_point': 'Deceptive recruitment processes, '
'malicious NPM packages on GitHub',
'high_value_targets': 'Software developers, IT '
'professionals'},
'lessons_learned': 'Critical vulnerabilities in supply chain security and '
'social engineering defenses, particularly within '
'development communities where GitHub interactions and '
'technical assessments during interviews are standard '
'practice.',
'motivation': 'Establishing footholds within target organizations, credential '
'harvesting, data exfiltration',
'post_incident_analysis': {'root_causes': 'Exploitation of trust in '
'professional networking and '
'job-seeking activities, abuse of '
'GitHub’s trusted infrastructure'},
'ransomware': {'data_encryption': 'XOR encryption',
'data_exfiltration': 'Yes'},
'references': [{'source': 'Medium'}],
'threat_actor': 'Famous Chollima APT Group',
'title': 'Famous Chollima APT Group Targeting Job Seekers with Malicious NPM '
'Packages',
'type': 'Advanced Persistent Threat (APT)',
'vulnerability_exploited': 'Trust in professional networking and job-seeking '
'activities'}