1. Forum
  2. FidoNet
  3. CONSPRCY

  • North Korean hackers rele

    From Mike Powell@1:2320/105 to All on Wed Jul 16 10:18:45 2025
    North Korean hackers release malware-ridden packages into npm registry

    Date:
    Tue, 15 Jul 2025 15:58:00 +0000

    Description:
    A second wave of tainted packages was spotted on npm, likely part of a larger campaign.

    FULL STORY

    North Korean hackers have been seen pushing dozens of malicious packages to
    npm in an attempt to compromise western technology products through supply chain attacks.

    Cybersecurity researchers Socket claim the latest push of 67 malicious
    packages is just the second leg of a previous attack, in which 35 packages
    were published, as part of a campaign called Contagious Interview.

    "The Contagious Interview operation continues to follow a whack-a-mole
    dynamic, where defenders detect and report malicious packages, and North
    Korean threat actors quickly respond by uploading new variants using the
    same, similar, or slightly evolved playbooks," Socket researcher Kirill Boychenko said.

    Thousands of victims

    Uploading malicious code to npm is just a setup. The real attack most likely happens elsewhere - on LinkedIn, Telegram, or Discord. North Korean attackers would pose as recruiters, or HR managers in large, reputable tech companies, and would reach out to software developers offering work.

    The interview process includes multiple rounds of talks and concludes with a test assignment. That test assignment requires the job seeker to download and run an npm package, which is where the person ends up with a compromised device. Obviously, that doesnt mean that other people couldnt accidentally download tainted packages, as well.

    Cumulatively, the packages attracted more than 17,000 downloads, which is
    quite the attack surface.

    North Koreans are infamous for their fake job and fake employee scams, whose goals usually vary between cyber-espionage and financial theft. If theyre not stealing intellectual property or proprietary data, then theyre stealing cryptocurrencies which the government uses to fund the state apparatus and
    its nuclear weapons program.

    The campaigns deploy all sorts of malware , from the BeaverTail infostealer, across XORIndex Loader, HexEval, and many others.

    "Contagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm maintainer aliases, reusing loaders such
    as HexEval Loader and malware families like BeaverTail and InvisibleFerret,
    and actively deploying newly observed variants including XORIndex Loader,"
    the researchers concluded.

    Via The Hacker News

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/north-korean-hackers-release-malware-ri dden-packages-into-npm-registry

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)