North Korean hackers release malware-ridden packages into npm registry
Date:
Tue, 15 Jul 2025 15:58:00 +0000
Description:
A second wave of tainted packages was spotted on npm, likely part of a larger campaign.
FULL STORY
North Korean hackers have been seen pushing dozens of malicious packages to
npm in an attempt to compromise western technology products through supply chain attacks.
Cybersecurity researchers Socket claim the latest push of 67 malicious
packages is just the second leg of a previous attack, in which 35 packages
were published, as part of a campaign called Contagious Interview.
"The Contagious Interview operation continues to follow a whack-a-mole
dynamic, where defenders detect and report malicious packages, and North
Korean threat actors quickly respond by uploading new variants using the
same, similar, or slightly evolved playbooks," Socket researcher Kirill Boychenko said.
Thousands of victims
Uploading malicious code to npm is just a setup. The real attack most likely happens elsewhere - on LinkedIn, Telegram, or Discord. North Korean attackers would pose as recruiters, or HR managers in large, reputable tech companies, and would reach out to software developers offering work.
The interview process includes multiple rounds of talks and concludes with a test assignment. That test assignment requires the job seeker to download and run an npm package, which is where the person ends up with a compromised device. Obviously, that doesnt mean that other people couldnt accidentally download tainted packages, as well.
Cumulatively, the packages attracted more than 17,000 downloads, which is
quite the attack surface.
North Koreans are infamous for their fake job and fake employee scams, whose goals usually vary between cyber-espionage and financial theft. If theyre not stealing intellectual property or proprietary data, then theyre stealing cryptocurrencies which the government uses to fund the state apparatus and
its nuclear weapons program.
The campaigns deploy all sorts of malware , from the BeaverTail infostealer, across XORIndex Loader, HexEval, and many others.
"Contagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm maintainer aliases, reusing loaders such
as HexEval Loader and malware families like BeaverTail and InvisibleFerret,
and actively deploying newly observed variants including XORIndex Loader,"
the researchers concluded.
Via The Hacker News
======================================================================
Link to news story:
https://www.techradar.com/pro/security/north-korean-hackers-release-malware-ri dden-packages-into-npm-registry
$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)