In a recent development, cybersecurity experts have identified a series of malicious npm packages linked to North Korean state-sponsored cyber actors. This campaign, known as Contagious Interview, aims to infiltrate developer environments to facilitate cryptocurrency theft and data exfiltration.
Discovery of Malicious Packages
Researchers from Socket have uncovered 35 malicious JavaScript libraries uploaded to the npm registry from 24 distinct accounts. Collectively, these packages have been downloaded over 4,000 times, posing a significant risk to developers and organizations relying on npm for software development. Notable among these packages are:
– react-plaid-sdk
– sumsub-node-websdk
– vite-plugin-next-refresh
– vite-loader-svg
– node-orm-mongoose
– router-parse
As of the latest reports, six of these packages remain available for download, increasing the urgency for developers to scrutinize their dependencies.
Technical Analysis of the Attack
Each identified npm package contains a hex-encoded loader, termed HexEval, which activates upon installation. This loader collects host information and selectively delivers a secondary payload known as BeaverTail, a JavaScript-based credential stealer. BeaverTail subsequently downloads and executes a Python backdoor named InvisibleFerret, granting attackers remote control over compromised systems.
This multi-layered approach allows the malware to evade basic static analysis tools and manual code reviews. In some instances, the attackers have also deployed cross-platform keyloggers, indicating a readiness to tailor payloads for deeper surveillance when targeting specific individuals or organizations.
The Contagious Interview Campaign
First documented by Palo Alto Networks’ Unit 42 in late 2023, the Contagious Interview campaign is an ongoing effort by North Korean cyber actors to gain unauthorized access to developer systems. The primary objectives are cryptocurrency theft and data exfiltration. The campaign employs various aliases, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
Social Engineering Tactics
A notable aspect of this campaign is the use of sophisticated social engineering techniques. Attackers pose as recruiters on professional networking platforms like LinkedIn, targeting software engineers actively seeking employment. They initiate contact using scripted messages and convincing job offers, often sharing links to malicious projects hosted on platforms like GitHub or Bitbucket. These projects embed the malicious npm packages, leading unsuspecting developers to install compromised software.
Broader Implications and Historical Context
This incident is part of a broader trend of supply chain attacks orchestrated by North Korean cyber actors. In March 2023, the Lazarus Group, another North Korean state-sponsored entity, infiltrated the npm ecosystem with six malicious packages designed to compromise developer environments, steal credentials, and deploy backdoors. These packages employed typosquatting tactics, closely mimicking the names of widely trusted libraries to deceive developers. ([cyware.com](https://www.cyware.com/resources/threat-briefings/weekly-threat-briefing/cyware-weekly-threat-intelligence-march-10-14-2025?utm_source=openai))
Additionally, in early 2025, North Korean hackers were suspected in a supply chain attack targeting JumpCloud, a cloud-based IT management service. The attackers utilized infrastructure and tactics previously associated with North Korean state-sponsored groups, further highlighting the persistent threat posed by these actors. ([advisory.eventussecurity.com](https://advisory.eventussecurity.com/advisory/north-korean-state-sponsored-hackers-suspected-in-jumpcloud-supply-chain-attack/?utm_source=openai))
Recommendations for Developers and Organizations
Given the increasing sophistication of these attacks, developers and organizations are urged to adopt the following measures:
1. Vigilant Dependency Management: Regularly audit and verify the integrity of all third-party packages and libraries used in development projects.
2. Enhanced Security Training: Educate development teams about the risks of social engineering and the importance of verifying the authenticity of job offers and project collaborations.
3. Implement Robust Security Tools: Utilize advanced security tools capable of detecting obfuscated or malicious code within software dependencies.
4. Monitor Network Activity: Establish continuous monitoring of network traffic to identify and respond to unusual or unauthorized activities promptly.
5. Stay Informed: Keep abreast of the latest threat intelligence reports and advisories related to supply chain attacks and North Korean cyber activities.
Conclusion
The recent discovery of malicious npm packages linked to North Korean cyber actors underscores the evolving nature of supply chain attacks. By leveraging social engineering and sophisticated malware deployment strategies, these actors pose a significant threat to developers and organizations worldwide. Proactive security measures and heightened awareness are essential to mitigate the risks associated with such attacks.
