Security researchers have uncovered a sophisticated cyber attack campaign where North Korean hackers deployed malware through 11 malicious npm software packages. The packages, which were downloaded over 5,600 times before removal, delivered dangerous malware called BeaverTail.
The malicious packages posed as legitimate developer utilities and debugging tools, with names like "empty-array-validator" and "dev-debugger-vite". They contained obfuscated code that helped evade detection systems.
This attack appears to be part of the ongoing "Contagious Interview" campaign, where hackers target developers through fake job interview processes. The end goal is to infiltrate systems, steal sensitive data and financial assets, while maintaining long-term unauthorized access.
Socket security researcher Kirill Boychenko noted that the attackers are actively creating new npm accounts and deploying malicious code across multiple platforms including npm registry, GitHub, and Bitbucket.
The campaign has also expanded to include a new Windows backdoor called Tropidoor, as discovered by South Korean cybersecurity firm AhnLab. The backdoor allows attackers to:
- Steal files
- Gather system information
- Control processes
- Take screenshots
- Delete or corrupt files
The hackers used sophisticated social engineering, sending phishing emails that appeared to come from a company called AutoSquare. These emails contained links to malicious projects on Bitbucket that developers were asked to review as part of supposed job interviews.
Security experts advise developers to exercise extreme caution when downloading npm packages or executable files from unknown sources, and to be wary of unsolicited job interview requests that require downloading and running code.