Cybersecurity researchers have uncovered a fresh escalation in North Korea-linked supply chain attacks, with 35 malicious npm packages uploaded from 24 accounts and collectively downloaded over 4,000 times. The campaign, tied to the ongoing Contagious Interview operation, leverages open-source JavaScript libraries as a vector to compromise developers’ systems.
Attackers embed a hex-encoded loader called HexEval, which collects host information and delivers a JavaScript stealer known as BeaverTail, followed by a Python backdoor dubbed InvisibleFerret. This multi-stage, “nesting-doll” approach helps evade static scanners and manual reviews, making detection far more challenging for targets and defenders alike.
Social Engineering and the Contagious Interview Campaign
The attackers employ convincing social engineering tactics, posing as recruiters and sending job seekers coding assignments that require cloning and running malicious projects. These projects, often hosted on code-sharing platforms, embed the tainted npm packages. Victims are typically software engineers actively seeking new roles, making them susceptible to requests that seem routine in interview processes.
This campaign exploits the trust placed in recruiters and the professional norms of technical hiring, increasing the likelihood of successful compromise.
Did you know?
The Contagious Interview campaign is tracked under multiple names, including CL-STA-0240, DeceptiveDevelopment, Famous Chollima, and Tenacious Pungsan, reflecting its scale and the number of threat intelligence teams monitoring its evolution.
The Malware Arsenal: From BeaverTail to InvisibleFerret
Each malicious npm package contains the HexEval loader, which gathers system information and selectively delivers the BeaverTail JavaScript stealer. Designed to exfiltrate sensitive data, BeaverTail can also download and execute the Python-based InvisibleFerret backdoor, thereby granting attackers persistent remote access. Some packages also include cross-platform keyloggers, enabling deeper surveillance when the target warrants it.
These tools are part of a broader arsenal used by North Korean state-sponsored groups to target cryptocurrency and technology sectors for financial gain and intelligence gathering.
ALSO READ | Can Canadian Telecoms Effectively Defend Against China-linked Salt Typhoon’s Sophisticated Cyber Attacks
Evolving Tactics and Persistent Threats
The Contagious Interview campaign is notable for its evolving tradecraft, blending malware staging, open-source intelligence, and social engineering. Attackers minimize their on-registry footprint and attempt to evade containerized environments, refining methods in real time to bypass perimeter defenses.
The campaign’s multi-pronged approach includes leveraging fake job interviews, malicious npm packages, and even insider threats, as seen in related campaigns. The persistent and adaptive nature of these attacks underscores the growing risk to the open-source software supply chain.
Defensive Measures and Industry Response
Security researchers and organizations are ramping up efforts to detect and remove malicious packages from npm and other registries. Tools and increased scrutiny of open-source contributions are helping to identify and mitigate threats. Developers are urged to exercise caution when interacting with unfamiliar recruiters or projects, especially during job searches, and to use containerized environments for running untrusted code.
The ongoing campaign points out the importance of constant vigilance and robust supply chain security across the software development ecosystem.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!