Cybersecurity researchers have uncovered a recent batch of malicious npm packages linked to the continuing Contagious Interview operation originating from North Korea.
In response to Socket, the continuing provide chain assault entails 35 malicious packages that have been uploaded from 24 npm accounts. These packages have been collectively downloaded over 4,000 instances. The whole record of the JavaScript libraries is under –
- react-plaid-sdk
- sumsub-node-websdk
- vite-plugin-next-refresh
- vite-plugin-purify
- nextjs-insight
- vite-plugin-svgn
- node-loggers
- react-logs
- reactbootstraps
- framer-motion-ext
- serverlog-dispatch
- mongo-errorlog
- next-log-patcher
- vite-plugin-tools
- pixel-percent
- test-topdev-logger-v1
- test-topdev-logger-v3
- server-log-engine
- logbin-nodejs
- vite-loader-svg
- struct-logger
- flexible-loggers
- beautiful-plugins
- chalk-config
- jsonpacks
- jsonspecific
- jsonsecs
- util-buffers
- blur-plugins
- proc-watch
- node-orm-mongoose
- prior-config
- use-videos
- lucide-node, and
- router-parse
Of those, six proceed to stay out there for obtain from npm: react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, vite-loader-svg, node-orm-mongoose, and router-parse.
Every of the recognized npm packages comprises a hex-encoded loader dubbed HexEval, which is designed to gather host info publish set up and selectively ship a follow-on payload that is accountable for delivering a recognized JavaScript stealer known as BeaverTail.
BeaverTail, in flip, is configured to obtain and execute a Python backdoor known as InvisibleFerret, enabling the menace actors to gather delicate information and set up distant management of contaminated hosts.
“This nesting-doll construction helps the marketing campaign evade primary static scanners and handbook evaluations,” Socket researcher Kirill Boychenko mentioned. “One npm alias additionally shipped a cross-platform keylogger package deal that captures each keystroke, displaying the menace actors’ readiness to tailor payloads for deeper surveillance when the goal warrants it.”
Contagious Interview, first publicly documented by Palo Alto Networks Unit 42 in late 2023, is an ongoing marketing campaign undertaken by North Korean state-sponsored menace actors to acquire unauthorized entry to developer techniques with the purpose of conducting cryptocurrency and information theft.
The cluster can also be broadly tracked beneath the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Well-known Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
Current iterations of the marketing campaign have additionally been noticed benefiting from the ClickFix social engineering tactic to ship malware comparable to GolangGhost and PylangGhost. This sub-cluster of exercise has been designated the identify ClickFake Interview.
The newest findings from Socket level to a multi-pronged method the place Pyongyang menace actors are embracing varied strategies to trick potential targets into putting in malware beneath the pretext of an interview or a Zoom assembly.
The npm offshoot of Contagious Interview usually entails the attackers posing as recruiters on LinkedIn, sending job seekers and builders coding assignments by sharing a hyperlink to a malicious mission hosted on GitHub or Bitbucket that embeds the npm packages inside them.
“They aim software program engineers who’re actively job-hunting, exploiting the belief that job-seekers usually place in recruiters,” Boychenko mentioned. “Faux personas provoke contact, usually with scripted outreach messages and convincing job descriptions.”
The victims are then coaxed into cloning and operating these initiatives exterior containerized environments through the purported interview course of.
“This malicious marketing campaign highlights an evolving tradecraft in North Korean provide chain assaults, one which blends malware staging, OSINT-driven focusing on, and social engineering to compromise builders by way of trusted ecosystems,” Socket mentioned.
“By embedding malware loaders like HexEval in open supply packages and delivering them by way of pretend job assignments, menace actors sidestep perimeter defenses and achieve execution on the techniques of focused builders. The marketing campaign’s multi-stage construction, minimal on-registry footprint, and try to evade containerized environments level to a well-resourced adversary refining its intrusion strategies in real-time.”
