One risk of open source development and development in public is that anyone can take part, hence appropriate management of merge is key. Therefore automated services without appropriate strategies to mitigate this are probably not useful. I am curious did these contributors actually make any malicious changes?
Author here,
No, they didn't. Not in this case. That's not to say they wouldn't at some point. In some of the previous cases we dealt with, North Koreans were obsessively trying to get write access to CI/CD from the repo owners. They will also try to get your PAT tokens if possible. Similarly, any other access tokens (AWS etc.). We had one case where malicious npm dependency was injected after few months of regular work.
DPRK IT Workers focus is not hacking, it's:
1. Getting paid (The quality of work is variable, sometimes they are not that bad, but most of the time they are basically stubborn junior devs)
2. Then, stealing secrets to exfiltrate to actual DPRK hackers
3. Then, credibility building, so they could return to your co-workers with a job offer or some repository code with an "issue to debug" and force you to open code/attachments.
They will also recommend each other for jobs. If you'll hire one and signal that you want to hire more, they will invite their "friends". In some organizations this can go as high as 3 to 5 DPRK IT Workers for the 10 people team.