Ethical Hacking News
A new wave of malicious npm packages has been discovered that spread malware through fake job interviews, targeting software developers and job seekers. The campaign uses 35 malicious packages that load the BeaverTail info-stealer and InvisibleFerret backdoor on victims' machines. Learn more about this emerging threat and how you can protect yourself from such attacks.
North Korea's cyber threat actors have launched a new wave of malicious attacks on job seekers and software developers through fake interviews conducted on platforms like LinkedIn. The malware campaign uses 35 malicious npm packages that load the BeaverTail info-stealer and InvisibleFerret backdoor on victims' machines. Over 4,000 downloads of the malicious packages have been recorded, with six remaining available at the time of writing. The attack campaign involves posing as recruiters to request job candidates to work on a test project, triggering an infection chain that drops multiple payloads on the target's computer. BeaverTail is a multi-platform info-stealer that steals browser data and loads the InvisibleFerret backdoor for remote control and ongoing access. The attack highlights the evolving nature of social engineering attacks and the need for users to exercise caution when interacting with unsolicited messages or requests. Developers should treat such invitations with caution, while employers and recruiters must ensure their employees are aware of the risks associated with these attacks. The incident underscores the importance of maintaining up-to-date software and dependencies, as well as improving cybersecurity measures within organizations.
North Korea's cyber threat actors have launched a new wave of malicious attacks, this time targeting job seekers and software developers through fake interviews conducted on platforms like LinkedIn. The malware campaign uses 35 malicious npm packages that load the BeaverTail info-stealer and InvisibleFerret backdoor on victims' machines, two well-documented payloads associated with North Korean hackers.
The latest attack wave was discovered by Socket Threat Research, which reports that the packages were submitted to npm through 24 accounts. The malicious packages have been downloaded over 4,000 times in total, with six of them remaining available at the time of writing. Several of the malicious packages are typosquats or mimic well-known and trusted libraries, making them especially dangerous.
The attack campaign involves North Korean operatives posing as recruiters, requesting job candidates to work on a test project. The assignments are hosted on Bitbucket and appear to be legitimate tests but trigger an infection chain that drops multiple payloads on the target's computer. The first stage of the malware is hidden in the npm packages and fingerprints the host, contacts the threat actor's command-and-control (C2) server, and uses 'eval()' to fetch and execute the second-stage payload, BeaverTail.
BeaverTail is a multi-platform info-stealer that steals browser data, including cookies and cryptocurrency wallets. It also loads the InvisibleFerret backdoor, which is a cross-platform persistent backdoor delivered as a ZIP file. This allows the attackers to gain deeper, ongoing access to the victim's system with remote control, file theft, and screen-shooting capabilities.
The attack campaign has been attributed to North Korean hackers, who have previously demonstrated a sophisticated approach to cyber threats. The use of malware in fake job interviews highlights the evolving nature of social engineering attacks and the need for users to exercise caution when interacting with unsolicited messages or requests.
In light of this recent attack, it is essential for software developers and job seekers to be vigilant and take necessary precautions. Developers should treat these invitations with caution and run unknown code in containers or virtual machines instead of executing it on their OS. Employers and recruiters must also ensure that their employees are aware of the risks associated with such attacks and take steps to prevent them from occurring.
The use of malicious npm packages as a means of spreading malware highlights the importance of maintaining up-to-date software and dependencies. Developers should regularly review the packages they install and ensure that they are not vulnerable to exploits or tampering. Furthermore, the incident underscores the need for improved cybersecurity measures within organizations, particularly in industries where remote work is prevalent.
The latest attack wave serves as a reminder of the ongoing threat landscape and the importance of staying informed about emerging threats. As cybersecurity threats continue to evolve, it is crucial for individuals and organizations to remain vigilant and take proactive steps to protect themselves against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Wave-of-Deception-North-Koreas-Fake-Interviews-Malware-Campaign-Targets-Job-Seekers-Through-npm-Packages-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-wave-of-fake-interviews-use-35-npm-packages-to-spread-malware/
Published: Wed Jun 25 15:03:23 2025 by llama3.2 3B Q4_K_M
