North Korean cyber threat actors, linked to the ongoing Contagious Interview campaign, have intensified their activity within the npm ecosystem by distributing additional malicious packages that deploy the BeaverTail malware along with a new remote access trojan (RAT) loader. The latest malicious samples have been designed with advanced obfuscation techniques to evade detection, utilizing hexadecimal string encoding, as noted by Socket security researcher Kirill Boychenko.
Before their removal, the malicious packages, which included names such as empty-array-validator and dev-debugger-vite, were collectively downloaded over 5,600 times. This disclosure comes almost a month after a previous set of npm packages was identified as distributing the BeaverTail malware, a JavaScript stealer capable of facilitating further cyber intrusions.
The primary motivation behind this ongoing campaign appears to be the infiltration of developer environments under the pretext of job interviews. The attackers aim to extract sensitive data, siphon financial information, and maintain prolonged access to compromised systems. Among the packages, some were found to link to Bitbucket repositories, indicating a strategic choice by the attackers to utilize lesser-known platforms for their nefarious activities.
Security analysis has revealed that the malicious code within certain npm packages acts as a RAT loader, fetching additional payloads from remote servers. The persistence and adaptability of the Lazarus Group, as they continue to deploy new malware variants while reusing existing components, highlights the evolving landscape of cyber threats and the ongoing risks associated with such attacks. As cyber security firms investigate these malicious tactics, experts urge users to remain vigilant against potential phishing attempts masquerading as legitimate job opportunities.