New North Korean campaign impersonates recruiters, 35 npm packages infected with malicious code

Over 4,000 downloads and dozens of developers infected — North Korea strikes again. Hackers gain complete control of victims’ systems through fake IT “tests” and malicious npm packages.

Researchers at Socket Threat Research have uncovered a new wave of attacks in which North Korea (DPRK) is using the npm platform to distribute backdoors and info stealers. This time, 35 malicious packages have been downloaded over 4,000 times. Some of them are typosquatting or impersonating popular libraries:

• * react-plaid-sdk, reactbootstraps, vite-loader-svg
• * node-orm-mongoose, chalk-config,
• *-logger
• * framer-motion-ext, nextjs-insight

The campaign was called Contagious Interview: developers are sent offers on behalf of “recruiters” from LinkedIn, who offer to take a test task. The task document opens access to repositories on Bitbucket, which already contains malicious code.

After launching the malicious package, the HexEval Loader is activated, which transfers information to the C2 server and launches the next phase – BeaverTail. This info stealer steals browser data, cookies and crypto wallets. Then InvisibleFerret is connected – a backdoor that gives full control over the machine. The cycle is completed by a keylogger that records every keystroke and transfers the data to attackers.

• North Korea actively uses social engineering, masquerading as legitimate companies to gain access to systems through the developers themselves. Back in March, the Lazarus group distributed similar packages via npm. These attacks prove that even a simple “test” task can become a trap if the code is executed on a “live” system, and not in a container or virtual machine.

Never run third-party code outside of an isolated environment. Especially if it came as part of an unexpected job offer. Counteracting such attacks is not only about antiviruses, but also about a security culture among developers.