North Korean Npm Malware Targets Developers In Fake Job Interviews

HomeNews* Researchers uncovered 35 new malicious npm packages tied to North Korean threat actors.

• The packages were downloaded over 4,000 times and posted from 24 npm accounts.
• The campaign uses encoded Malware loaders to deliver information stealers and remote access tools.
• Attackers pose as recruiters and target developers with fake job assignments on sites like LinkedIn.
• The operation aims to steal cryptocurrency and sensitive data from compromised developer systems. Cybersecurity specialists have identified 35 new harmful npm packages connected to the ongoing “Contagious Interview” cyber attack campaign, which is attributed to state-sponsored groups from North Korea. The new wave of malicious software appeared on the npm open-source package platform and targets developers and job seekers.

• Advertisement - According to Socket, these packages have been uploaded from 24 separate npm accounts and have received over 4,000 downloads. Six of these packages, including “react-plaid-sdk,” “sumsub-node-websdk,” and “router-parse,” remained publicly available at the time of discovery.

Each package contains a tool called HexEval, which is a hex-encoded loader that collects information about the host computer after installation. HexEval selectively deploys another malicious program named BeaverTail, which can download and run a Python-based backdoor called InvisibleFerret. This sequence allows the Hackers to steal sensitive data and remotely control the infected system. “This nesting-doll structure helps the campaign evade basic static scanners and manual reviews,” stated Socket researcher Kirill Boychenko.

The campaign often begins when threat actors pose as recruiters on platforms like LinkedIn. They contact software engineers and send fake job assignments via links to projects hosted on GitHub or Bitbucket where these npm packages are embedded. Victims are then convinced to download and run these projects, sometimes outside of secure environments.

The Contagious Interview operation, first detailed by Palo Alto Networks Unit 42 in late 2023, seeks unauthorized access to developer machines primarily for cryptocurrency and data theft. The campaign is also known by names like CL-STA-0240, DeceptiveDevelopment, and Gwisin Gang.

Socket reports that current attacker tactics combine malware-laced open source packages, tailored social engineering, and layered delivery mechanisms to bypass security systems. The campaign shows ongoing refinement, with the addition of cross-platform keyloggers and new malware delivery techniques.

Recent activity includes the use of a social engineering strategy called ClickFix, which delivers malware such as GolangGhost and PylangGhost. This sub-campaign, ClickFake Interview, continues to target developers with customized payloads for deeper surveillance when necessary.

• Advertisement - More details and the full list of affected npm packages can be found through the public statement by Socket.

Previous Articles:

• Argent Wallet Rebrands as Ready with Dual Product Strategy
• YESminer Launches AI-Powered Crypto Platform With Free Bonuses
• Bank of Korea Wants Banks to Lead Stablecoin Issuance, Eyes Safety
• Bernie Sanders Warns AI, Robots Threaten Jobs; Urges New Protections
• Senate Hearing on Crypto Market Structure Draws Only Five Members

• Advertisement -