Ethical Hacking News
North Korean hackers have deployed the BeaverTail malware through 11 malicious npm packages on the popular software distribution platform, npm (Node Package Manager). This attack serves as a stark reminder of the evolving threat landscape and the need for developers to remain vigilant in protecting themselves against such attacks.
North Korean hackers have deployed BeaverTail malware through 11 malicious npm packages, highlighting the evolving threat landscape.The attackers employed hexadecimal string encoding to evade automated detection systems and manual code audits.The malicious packages masqueraded as utilities and debuggers, with some linked to Bitbucket repositories.Some packages had minor code-level variations, indicating multiple malware variants were published for increased success rate.The end goal is to infiltrate developer systems for stealing sensitive data, siphoning financial assets, and maintaining long-term access.
North Korean hackers have once again demonstrated their cunning and sophistication in the world of cyber attacks. In a recent development, it has been revealed that these threat actors have been deploying the BeaverTail malware through 11 malicious npm packages on the popular software distribution platform, npm (Node Package Manager). This sophisticated attack serves as a stark reminder of the evolving threat landscape and the need for developers to remain vigilant in protecting themselves against such attacks.
The Contagious Interview campaign, which has been ongoing since last year, has seen the North Korean hackers adapting their tactics and incorporating new techniques to evade detection. The latest deployment of BeaverTail malware via these 11 malicious npm packages is a testament to the group's persistence and willingness to diversify their approach.
According to Socket security researcher Kirill Boychenko, the threat actors have been employing hexadecimal string encoding to evade automated detection systems and manual code audits, indicating a variation in their obfuscation techniques. This move signals that the hackers are attempting to stay one step ahead of their adversaries by continually adapting and improving their methods.
The malicious npm packages in question include empty-array-validator, twitterapis, dev-debugger-vite, snore-log, core-pino, events-utils, icloud-cod, cln-logger, node-clog, consolidate-log, and consolidate-logger. These packages have been collectively downloaded over 5,600 times prior to their removal from the npm registry.
It is worth noting that these malicious packages masquerade as utilities and debuggers, with one of them - dev-debugger-vite - using a command-and-control (C2) address previously flagged by SecurityScorecard as used by the Lazarus Group in a campaign codenamed Phantom Circuit in December 2024. This connection highlights the potential links between North Korean hackers and other groups involved in global cybercrime.
Furthermore, some of the malicious packages are linked to Bitbucket repositories, which is unusual compared to GitHub. The icloud-cod package has been found to be hosted within a directory named "eiwork_hire," reiterating the threat actor's use of interview-related themes to activate the infection.
An analysis of the packages cln-logger, node-clog, consolidate-log, and consolidate-logger has uncovered minor code-level variations. This indicates that the attackers are publishing multiple malware variants in an attempt to increase the success rate of their campaign.
The end goal of the Contagious Interview threat actors is to infiltrate developer systems under the guise of a job interview process. They aim to steal sensitive data, siphon financial assets, and maintain long-term access to compromised systems.
In addition to this deployment via npm packages, it has also been discovered that South Korean cybersecurity company AhnLab detailed a recruitment-themed phishing campaign that delivers BeaverTail, which is then used to deploy a previously undocumented Windows backdoor codenamed Tropidoor. Artifacts analyzed by the firm show that BeaverTail is being used to actively target developers in South Korea.
The email message, which claimed to be from a company called AutoSquare, contained a link to a project hosted on Bitbucket, urging the recipient to clone the project locally on their machine to review their understanding of the program. This application is nothing but an npm library that contains BeaverTail ("tailwind.config.js") and a DLL downloader malware ("car.dll"), the latter of which is launched by the JavaScript stealer and loader.
Tropidoor is a backdoor "operating in memory through the downloader" that's capable of contacting a C2 server to receive instructions that make it possible to exfiltrate files, gather drive and file information, run and terminate processes, capture screenshots, and delete or wipe files by overwriting them with NULL or junk data.
The recent deployment of BeaverTail malware via 11 malicious npm packages serves as a stark reminder of the ongoing threat landscape. It is imperative that developers and organizations remain vigilant in protecting themselves against such attacks and take proactive steps to ensure their systems are secure.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Cunning-Scheme-Deploying-BeaverTail-Malware-via-11-Malicious-npm-Packages-ehn.shtml
https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html
https://www.hendryadrian.com/north-korean-hackers-deploy-beavertail-malware-via-11-malicious-npm-packages/
https://thesecmaster.com/blog/apt-c-26-or-lazarus-group
https://en.wikipedia.org/wiki/Lazarus_Group
Published: Sat Apr 5 22:55:48 2025 by llama3.2 3B Q4_K_M
