North Korean Hackers Pose as Recruiters, Target Developers with 35 New Malicious npm Packages
A new cyber campaign orchestrated by North Korean threat actors has been exposed by the Socket Threat Research Team, revealing a sophisticated supply chain attack targeting software developers through the npm registry.
Linked to the Contagious Interview operation, these adversaries have published 35 malicious npm packages across 24 accounts, with six still active on the registry, including react-plaid-sdk and vite-plugin-next-refresh.
These packages have collectively been downloaded over 4,000 times, posing a significant risk to unsuspecting developers.
Sophisticated Supply Chain Attack Unveiled
The attackers, leveraging social engineering tactics on LinkedIn by posing as recruiters, lure job-seeking engineers into executing malicious code embedded in coding assignments, often pressuring victims to bypass containerized environments for direct system access.
The technical intricacy of this campaign lies in its multi-stage malware structure, designed to evade detection.
Each package contains a hex-encoded loader dubbed HexEval, which, upon installation, gathers host metadata and fetches the second-stage infostealer, BeaverTail, linked to DPRK actors.
BeaverTail targets sensitive data like browser artifacts and cryptocurrency wallet files across Windows, macOS, and Linux systems, while also downloading a third-stage backdoor, InvisibleFerret, for persistent access.
The HexEval Loader uses obfuscated hexadecimal strings to hide module names and command-and-control (C2) endpoints, only decoding them at runtime to issue HTTPS POST requests and execute payloads via eval().
Multi-Stage Malware Deployment
Some packages, like jsonsecs, even include a cross-platform keylogger for deeper surveillance when specific targets are identified.
According to the Report, this nested approach, combined with conditional payload delivery based on runtime conditions, complicates static analysis and manual reviews, showcasing the attackers’ evolving tradecraft.
The social engineering aspect is equally alarming, with fake recruiter profiles on LinkedIn offering lucrative remote roles with salaries between $192,000 and $300,000 annually.
These personas, backed by 19 distinct email addresses mimicking hiring identities, send coding tasks via Google Docs or Bitbucket repositories that embed malicious dependencies.
Victims report being asked to run code natively during screen-shared interviews, a deliberate tactic to ensure full system compromise.
This campaign, active since at least April 2025, reflects a blend of OSINT-driven targeting and supply chain exploitation, with typosquatted packages like reactbootstraps mimicking legitimate projects to deceive developers.
As North Korean actors refine their methods with minimal on-registry footprints and delayed malware staging, the threat to open-source ecosystems grows.
Developers and organizations must adopt advanced security tools to detect such risks before they reach production, as traditional defenses fall short against these socially engineered attacks.
Indicators of Compromise (IOCs)
| Indicator Type | Details |
|---|---|
| Malicious npm Packages | react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, and 32 others |
| C2 Endpoints | log-server-lovat[.]vercel[.]app/api/ipcheck/703, ip-check-server[.]vercel[.]app/api/ip-check/208, and others |
| SHA256 Hashes (Keyloggers) | WinKeyServer: e58864cc22cd8ec17ae35dd810455d604aadab7c3f145b6c53b3c261855a4bb1, MacKeyServer: 30043996a56d0f6ad4ddb4186bd09ffc1050dcc352f641ce3907d35174086e15, X11KeyServer: 6e09249262d9a605180dfbd0939379bbf9f37db076980d6ffda98d650f70a16d |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
