Jun 25, 2025Ravie LakshmananMalware / Open Supply
Cybersecurity researchers have uncovered a recent batch of malicious npm packages linked to the continuing Contagious Interview operation originating from North Korea.
Based on Socket, the continuing provide chain assault entails 35 malicious packages that have been uploaded from 24 npm accounts. These packages have been collectively downloaded over 4,000 occasions. The entire listing of the JavaScript libraries is beneath –
react-plaid-sdk
sumsub-node-websdk
vite-plugin-next-refresh
vite-plugin-purify
nextjs-insight
vite-plugin-svgn
node-loggers
react-logs
reactbootstraps
framer-motion-ext
serverlog-dispatch
mongo-errorlog
next-log-patcher
vite-plugin-tools
pixel-percent
test-topdev-logger-v1
test-topdev-logger-v3
server-log-engine
logbin-nodejs
vite-loader-svg
struct-logger
flexible-loggers
beautiful-plugins
chalk-config
jsonpacks
jsonspecific
jsonsecs
util-buffers
blur-plugins
proc-watch
node-orm-mongoose
prior-config
use-videos
lucide-node, and
router-parse
Of those, six proceed to stay out there for obtain from npm: react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, vite-loader-svg, node-orm-mongoose, and router-parse.
Every of the recognized npm packages incorporates a hex-encoded loader dubbed HexEval, which is designed to gather host data submit set up and selectively ship a follow-on payload that is answerable for delivering a recognized JavaScript stealer referred to as BeaverTail.
BeaverTail, in flip, is configured to obtain and execute a Python backdoor referred to as InvisibleFerret, enabling the risk actors to gather delicate information and set up distant management of contaminated hosts.
“This nesting-doll construction helps the marketing campaign evade fundamental static scanners and handbook evaluations,” Socket researcher Kirill Boychenko stated. “One npm alias additionally shipped a cross-platform keylogger bundle that captures each keystroke, exhibiting the risk actors’ readiness to tailor payloads for deeper surveillance when the goal warrants it.”
Contagious Interview, first publicly documented by Palo Alto Networks Unit 42 in late 2023, is an ongoing marketing campaign undertaken by North Korean state-sponsored risk actors to acquire unauthorized entry to developer methods with the objective of conducting cryptocurrency and information theft.
The cluster can be broadly tracked below the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Well-known Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
Current iterations of the marketing campaign have additionally been noticed benefiting from the ClickFix social engineering tactic to ship malware comparable to GolangGhost and PylangGhost. This sub-cluster of exercise has been designated the identify ClickFake Interview.
The most recent findings from Socket level to a multi-pronged method the place Pyongyang risk actors are embracing varied strategies to trick potential targets into putting in malware below the pretext of an interview or a Zoom assembly.
The npm offshoot of Contagious Interview usually entails the attackers posing as recruiters on LinkedIn, sending job seekers and builders coding assignments by sharing a hyperlink to a malicious undertaking hosted on GitHub or Bitbucket that embeds the npm packages inside them.
“They aim software program engineers who’re actively job-hunting, exploiting the belief that job-seekers usually place in recruiters,” Boychenko stated. “Faux personas provoke contact, usually with scripted outreach messages and convincing job descriptions.”
The victims are then coaxed into cloning and working these tasks exterior containerized environments through the purported interview course of.
“This malicious marketing campaign highlights an evolving tradecraft in North Korean provide chain assaults, one which blends malware staging, OSINT-driven concentrating on, and social engineering to compromise builders via trusted ecosystems,” Socket stated.
“By embedding malware loaders like HexEval in open supply packages and delivering them via pretend job assignments, risk actors sidestep perimeter defenses and achieve execution on the methods of focused builders. The marketing campaign’s multi-stage construction, minimal on-registry footprint, and try to evade containerized environments level to a well-resourced adversary refining its intrusion strategies in real-time.”
Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.
