North Korean state-sponsored threat actors have intensified their supply chain attacks against software developers through a sophisticated campaign dubbed “Contagious Interview,” deploying 338 malicious npm packages that have accumulated over 50,000 downloads.
The operation represents a dramatic escalation in the weaponization of the npm registry, targeting Web3, cryptocurrency, and blockchain developers through elaborate social engineering schemes disguised as legitimate job recruitment processes.
The campaign operates on a multi-stage attack framework that begins with reconnaissance on professional platforms like LinkedIn.
Threat actors pose as recruiters or hiring managers, screening potential victims for technical expertise and financial opportunity.
They specifically target developers working with cryptocurrency wallets, blockchain infrastructure, and Web3 applications, seeking to compromise systems likely to contain valuable credentials, private keys, and monetizable secrets.
.webp "North Korean Hackers Attacking Developers with 338 Malicious npm Packages 2")
Socket.dev analysts identified the malware following reports from victims who received fraudulent job opportunities that included coding assignments containing malicious dependencies.
.webp "North Korean Hackers Attacking Developers with 338 Malicious npm Packages 4")
The researchers discovered that threat actors have evolved their tooling from direct BeaverTail malware droppers to more sophisticated HexEval, XORIndex, and encrypted loaders that execute during package installation or import processes.
The malicious packages employ typosquatting techniques targeting everyday dependencies that developers install routinely, particularly in Node.js environments.
Examples include variations of popular packages such as epxreso/epxresso/epxressoo (Express), dotevn (dotenv), and boby_parser (body-parser).
This strategy exploits the deadline pressure common in technical interviews where candidates execute “npm install” commands without thorough scrutiny.
Advanced Encryption and Persistence Mechanisms
The latest wave introduces encrypted loaders that demonstrate a significant evolution in the attackers’ technical capabilities.
These loaders utilize Node.js crypto functions with hardcoded AES-256-CBC encryption keys and initialization vectors, storing encrypted payloads in seemingly innocuous files like LICENSE documents.
The malware reconstructs obfuscated BeaverTail malware in memory before typically fetching the InvisibleFerret backdoor for persistent system access.
The encrypted loader implementation splits decryption logic across multiple files within the same package.
Analysis of the redux-saga-sentinel package reveals how the loader imports Node crypto in lib/utils/smtp-connection/parse.js while storing the encrypted payload in the LICENSE file.
During runtime, the loader decrypts the hex ciphertext to recover stage-two JavaScript code, which maintains obfuscation to evade static analysis detection.
This technique enables in-memory execution while avoiding disk-based artifacts that traditional security tools might detect.
The recovered payload establishes command and control communication over HTTP/HTTPS protocols, often using legitimate hosting platforms like Vercel to blend into normal developer traffic patterns, making detection significantly more challenging for security teams monitoring network communications.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
