North Korean threat actors involved in the Contagious Interview campaign are now targeting the npm ecosystem, distributing malware through 11 malicious packages that deliver BeaverTail, along with a new remote access trojan (RAT) loader.
These latest packages use hexadecimal string encoding to evade automated detection tools and manual code audits—showing an evolution in their obfuscation techniques.
Malicious packages (removed after over 5,600 total downloads)
Some of these, like events-utils and icloud-cod, are linked to Bitbucket repositories instead of GitHub. Notably, icloud-cod was hosted inside a directory named eiwork_hire, which ties back to their fake job interview tactic used to lure victims.
Analysis of packages like cln-logger, node-clog, and consolidate-log revealed slight code variations, indicating that the attackers are deploying multiple malware variants to maximize infection success.
The package dev-debugger-vite connects to a C2 server previously associated with the Lazarus Group, specifically from the Phantom Circuit campaign reported in December 2024.
Reminder to developers
Be extra cautious with new or obscure npm packages. Double-check code and origin before adding dependencies to your project.
Source: The Hacker News