A critical cybersecurity issue is currently in the spotlight, directly impacting software developers and IT professionals actively seeking employment.
Recently, security researchers uncovered a new supply chain attack linked to North Korean state-sponsored hackers, operating under a campaign called “Contagious Interview.” This operation involves distributing malicious npm packages specifically designed to compromise developer environments.
Supply Chain Attacked with 35 Malicious npm Packages
According to Socket, a cybersecurity research firm, this ongoing supply chain attack involves the upload of 35 malicious npm packages from 24 fake npm accounts. Alarmingly, these packages have been collectively downloaded over 4,000 times.
These packages were meticulously crafted to trick developers into unknowingly downloading and installing them. Their names mimic legitimate packages, such as react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, and many others.
Crucially, as of now, six of these malicious packages remain available for download from npm: react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, vite-loader-svg, node-orm-mongoose, and router-parse.
Nested Malware Structure: A Digital Matryoshka Doll
These npm packages don't contain the malware directly. Instead, they hide a hex-encoded loader dubbed HexEval. HexEval's role is to collect basic host information after installation and then selectively deliver a subsequent payload: BeaverTail, a known JavaScript stealer.
BeaverTail, in turn, is configured to download and execute InvisibleFerret, a Python backdoor. This multi-stage setup allows the threat actors to collect sensitive data and establish remote control over infected hosts.
Socket researcher Kirill Boychenko explains that "this nesting-doll structure helps the campaign evade basic static scanners and manual reviews." He adds that the threat actors are prepared to tailor their payloads, with one npm alias even shipping a cross-platform keylogger that captures every keystroke, indicating their readiness for deeper surveillance when warranted by the target.
"Contagious Interview": North Korea's Ongoing Campaign
The Contagious Interview operation was first publicly documented by Palo Alto Networks Unit 42 in late 2023. It's an ongoing campaign by North Korean state-sponsored threat actors to gain unauthorized access to developer systems, primarily aiming for cryptocurrency and data theft. The cluster is also broadly tracked under various monikers, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
Recent iterations of the campaign have also been observed leveraging the ClickFix social engineering tactic to deliver malware such as GolangGhost and PylangGhost. This sub-cluster of activity has been designated as ClickFake Interview.
Tricking Developers Through "Fake Job Interviews"
Socket's latest findings highlight a multi-pronged approach by Pyongyang's threat actors, who employ various methods to trick prospective targets into installing malware under the guise of an interview or a Zoom meeting.
In the npm-centric offshoot of this campaign, attackers typically pose as recruiters on LinkedIn. They send job seekers and developers "coding assignments" by sharing links to malicious projects hosted on GitHub or Bitbucket, which embed these dangerous npm packages.
In the npm-centric offshoot of this campaign, attackers typically pose as recruiters on LinkedIn. They send job seekers and developers "coding assignments" by sharing links to malicious projects hosted on GitHub or Bitbucket, which embed these dangerous npm packages.
Conclusion and Precautions
This malicious campaign underscores the evolving tradecraft in North Korean supply chain attacks, which blends malware staging, OSINT-driven targeting, and social engineering to compromise developers through trusted ecosystems.
By embedding malware loaders like HexEval in open-source packages and delivering them through fake job assignments, threat actors circumvent perimeter defenses and gain execution on the systems of targeted developers. The campaign's multi-stage structure, minimal on-registry footprint, and attempts to evade containerized environments point to a well-resourced adversary continuously refining their intrusion methods in real-time.
How to Protect Yourself:
- Be extremely cautious with online job interviews: Especially if you're asked to download and run code from unfamiliar or suspicious sources.
- Verify package authenticity: Before installing any npm package or library, thoroughly check the credibility of the publisher's account and the package details.
- Use isolated environments: If you must run unverified code, use a Virtual Machine (VM) or a Container (e.g., Docker) isolated from your main system.
- Keep your software updated: Ensure your operating system and all software are running the latest versions with all security patches applied.
- Practice social engineering awareness: Understand the various deceptive tactics hackers use to avoid becoming a victim.
This attack serves as a stark reminder that even technically proficient developers can be targeted, especially when psychological manipulation and the desire for employment are exploited as vulnerabilities.