Subj : North Korean hackers rele
To   : All
From : Mike Powell
Date : Wed Jul 16 2025 10:18 am

North Korean hackers release malware-ridden packages into npm registry

Date:
Tue, 15 Jul 2025 15:58:00 +0000

Description:
A second wave of tainted packages was spotted on npm, likely part of a larger
campaign.

FULL STORY

North Korean hackers have been seen pushing dozens of malicious packages to
npm in an attempt to compromise western technology products through supply
chain attacks.

Cybersecurity researchers Socket claim the latest push of 67 malicious
packages is just the second leg of a previous attack, in which 35 packages
were published, as part of a campaign called Contagious Interview.

"The Contagious Interview operation continues to follow a whack-a-mole
dynamic, where defenders detect and report malicious packages, and North
Korean threat actors quickly respond by uploading new variants using the
same, similar, or slightly evolved playbooks," Socket researcher Kirill
Boychenko said.

Thousands of victims

Uploading malicious code to npm is just a setup. The real attack most likely
happens elsewhere - on LinkedIn, Telegram, or Discord. North Korean attackers
would pose as recruiters, or HR managers in large, reputable tech companies,
and would reach out to software developers offering work.

The interview process includes multiple rounds of talks and concludes with a
test assignment. That test assignment requires the job seeker to download and
run an npm package, which is where the person ends up with a compromised
device. Obviously, that doesnt mean that other people couldnt accidentally
download tainted packages, as well.

Cumulatively, the packages attracted more than 17,000 downloads, which is
quite the attack surface.

North Koreans are infamous for their fake job and fake employee scams, whose
goals usually vary between cyber-espionage and financial theft. If theyre not
stealing intellectual property or proprietary data, then theyre stealing
cryptocurrencies which the government uses to fund the state apparatus and
its nuclear weapons program.

The campaigns deploy all sorts of malware , from the BeaverTail infostealer,
across XORIndex Loader, HexEval, and many others.

"Contagious Interview threat actors will continue to diversify their malware
portfolio, rotating through new npm maintainer aliases, reusing loaders such
as HexEval Loader and malware families like BeaverTail and InvisibleFerret,
and actively deploying newly observed variants including XORIndex Loader,"
the researchers concluded.

Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/north-korean-hackers-release-malware-ri
dden-packages-into-npm-registry

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.