North Korean hackers release malware-ridden packages into npm registry

News
By published

Second wave of tainted packages spotted on npm

A red padlock image against a digital map of the earth in blue.
(Image credit: Shutterstock / Askobol)
  • Security researchers spotted 67 malicious packages on npm
  • The packages are part of the Contagious Interview campaign
  • They are most likely deployed by North Korean attackers

North Korean hackers have been seen pushing dozens of malicious packages to npm in an attempt to compromise western technology products through supply chain attacks.

Cybersecurity researchers Socket claim the latest push of 67 malicious packages is just the second leg of a previous attack, in which 35 packages were published, as part of a campaign called Contagious Interview.

"The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks," Socket researcher Kirill Boychenko said.

Thousands of victims

Uploading malicious code to npm is just a setup. The real attack most likely happens elsewhere - on LinkedIn, Telegram, or Discord. North Korean attackers would pose as recruiters, or HR managers in large, reputable tech companies, and would reach out to software developers offering work.

The interview process includes multiple rounds of talks and concludes with a test assignment. That test assignment requires the job seeker to download and run an npm package, which is where the person ends up with a compromised device. Obviously, that doesn’t mean that other people couldn’t accidentally download tainted packages, as well.

Cumulatively, the packages attracted more than 17,000 downloads, which is quite the attack surface.

North Koreans are infamous for their fake job and fake employee scams, whose goals usually vary between cyber-espionage and financial theft. If they’re not stealing intellectual property or proprietary data, then they’re stealing cryptocurrencies which the government uses to fund the state apparatus and its nuclear weapons program.

The campaigns deploy all sorts of malware, from the BeaverTail infostealer, across XORIndex Loader, HexEval, and many others.

"Contagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm maintainer aliases, reusing loaders such as HexEval Loader and malware families like BeaverTail and InvisibleFerret, and actively deploying newly observed variants including XORIndex Loader," the researchers concluded.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.