A new cyberattack campaign linked to North Korea has been discovered, and it is targeting developers through the npm package manager. Researchers at Socket have identified 35 malicious packages that were uploaded to npm with the goal of stealing sensitive data from developers. The attack is part of a long-running operation known as the “Contagious Interview” campaign.
This campaign tricks developers, especially job seekers, by pretending to offer coding interviews. Hackers contact developers through LinkedIn, claiming to be recruiters from tech companies. They then send a Google Doc with coding instructions that include one or more npm packages to install. These packages contain hidden malware that activates once the developer installs them on their system.
The attack is carried out in multiple steps. First, a JavaScript loader named HexEval checks the system to make sure it is not a virtual machine. This helps the malware avoid detection by cybersecurity researchers. If the system appears to be safe to infect, HexEval then downloads the second-stage malware known as BeaverTail.
BeaverTail collects basic information about the victim’s system and may also steal files or credentials. It then installs a third piece of malware called InvisibleFerret. This component gives hackers remote access to the victim’s system, allowing them to execute commands, take control of files, and stay hidden for long periods without being noticed.
What makes this attack more dangerous is that some of the malicious packages are still available on npm. Socket reported that at least six packages were still live when their blog was published. These include names like react-plaid-link, react-plaid-sdk, and vite-plugin-next-refresh. Together, these packages had already been downloaded more than 4,000 times. This means that many developers may already be infected without realizing it.
The hackers used a common trick called typosquatting. This involves using names that are almost identical to real and trusted packages, hoping that developers will mistype the package name or not notice the difference. Once installed, the malicious package runs scripts in the background that download and execute more harmful code.
The attack is not just limited to one or two developers. Researchers found that the 35 packages were spread across 24 different npm accounts. These accounts were likely created by the attackers to distribute their malware more widely. Many of the packages appeared to be completely normal. They had documentation, descriptions, and names that made them look legitimate.
Socket also discovered that the code was cleverly designed to avoid detection. The malware was split into pieces and only put together during runtime, which made it harder for security tools to recognize the threat. This multi-stage loading system is becoming more common in modern malware campaigns.
This is not the first time North Korea-linked attackers have used this method. Similar campaigns have been tracked before, including ones labeled DeceptiveDevelopment and CL-STA-0240. All of them show a clear pattern of using social engineering to target developers directly.
Developers are now being advised to be extremely cautious when installing npm packages, especially those sent in job-related tasks. It is important to always verify package names, check their source, and use tools that can scan for suspicious behavior. Avoid running unknown code on your main system and consider using a safe environment like a virtual machine when testing unfamiliar code.
Socket has shared full technical details with npm and is working with them to remove the remaining malicious packages. While this cleanup is ongoing, the threat highlights how open-source ecosystems can be used for supply chain attacks.
This incident is a reminder that even trusted platforms like npm can be abused. Developers must stay alert, especially when working with packages shared outside of known sources. A little extra caution can prevent a lot of damage.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
