“テック企業の従業員を狙ったソーシャルエンジニアリングキャンペーンをGitHubが注意喚起。
開発・採用担当者になりすまし、リポジトリの共同作業に標的を招待。マルウエアが含まれるクローンの作成・実行を誘導させる。同社は北朝鮮関与のグループによるものと分析。”
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies. Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
Security alert: social engineering campaign targets technology industry employees
