- Cyber Syrup
- Posts
- North Korean Supply Chain Attack Uncovered in Malicious npm Packages
North Korean Supply Chain Attack Uncovered in Malicious npm Packages
Cybersecurity researchers have identified a new wave of malicious npm packages linked to the ongoing Contagious Interview operation
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Stop Asking AI Questions, and Start Building Personal AI Software.
Feeling overwhelmed by AI options or stuck on basic prompts? The AI Fast Track is your 5-day roadmap to solving problems faster with next-level artificial intelligence.
This free email course cuts through the noise with practical knowledge and real-world examples delivered daily. You'll go from learning essential foundations to writing effective prompts, building powerful Artifacts, creating a personal AI assistant, and developing working software—all without coding.
Join thousands who've transformed their workflows and future-proofed their AI skills in just one week.
North Korean Supply Chain Attack Uncovered in Malicious npm Packages
Cybersecurity researchers have identified a new wave of malicious npm packages linked to the ongoing Contagious Interview operation—an advanced supply chain attack orchestrated by North Korean threat actors.
Overview of the Threat
According to a report by Socket, this campaign has introduced 35 malicious JavaScript packages across 24 npm accounts, accumulating over 4,000 downloads. These packages impersonate legitimate developer tools to gain the trust of unsuspecting software engineers.
Notably, six of these malicious packages are still available on npm:
react-plaid-sdksumsub-node-websdkvite-plugin-next-refreshvite-loader-svgnode-orm-mongooserouter-parse
Each package contains a stealthy hex-encoded loader named HexEval, which gathers system data upon installation. Based on that data, it selectively downloads BeaverTail, a JavaScript stealer that deploys InvisibleFerret, a Python-based backdoor designed for data exfiltration and persistent remote access.
Multi-Stage Attack Chain
The operation follows a multi-stage structure:
HexEval Loader – Encoded to bypass basic detection, it initiates the infection.
BeaverTail – A JavaScript-based payload designed to siphon data and load further malware.
InvisibleFerret – A Python backdoor that provides full control to the attackers.
Researchers also found evidence of cross-platform keyloggers, suggesting the attackers are capable of customizing payloads based on the target system for enhanced surveillance.
Background: The Contagious Interview Operation
Initially documented by Palo Alto Networks' Unit 42 in 2023, Contagious Interview is part of a broader North Korean cyber campaign targeting developers. The goal is to steal cryptocurrency and sensitive data by luring victims through fake job interviews.
Threat actor aliases include:CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Gwisin Gang, Void Dokkaebi, and Tenacious Pungsan.
Social Engineering Tactics
Attackers pose as recruiters on LinkedIn, contacting software developers under the guise of job interviews. They share fake coding assignments hosted on GitHub or Bitbucket, which embed malicious npm dependencies. These assignments are designed to trick developers into executing the malware in unprotected environments.
“This campaign exploits trust in professional platforms and open-source ecosystems,” said Kirill Boychenko of Socket. “It blends OSINT, malware staging, and tailored social engineering in a way that’s becoming increasingly difficult to detect.”
Key Takeaway
The evolving tactics of North Korean threat actors highlight the growing risk of supply chain attacks via npm and other package managers. Developers are urged to:
Vet open-source packages carefully.
Use containerized environments for untrusted code.
Remain vigilant during remote interview processes.
This campaign underscores the urgent need for enhanced security practices in open-source development and hiring workflows.