Cybersecurity researchers have identified a new wave of malicious npm packages connected to the ongoing Contagious Interview operation attributed to North Korean threat actors. This alarming development reveals that 35 malicious packages, linked to 24 npm accounts, have collectively been downloaded over 4,000 times. According to research conducted by Socket, the implications for software developers and tech companies are critical.
Among the packages involved are key libraries like react-plaid-sdk and sumsub-node-websdk. Six of these packages remain available for download, posing a potential risk to unsuspecting developers—who may unknowingly install malicious code through their projects.
Each of the infected packages contains a hex-encoded loader known as HexEval, which gathers information from the host machine post-installation. This loader facilitates the installation of a known JavaScript stealer called BeaverTail, designed to capture sensitive data and establish remote control over infected systems.
Researcher Kirill Boychenko from Socket emphasized the sophistication of this attack strategy, highlighting how the nesting-doll structure of the malware enables it to evade basic detection methods. This layered method not only conceals the malicious intent but also includes a cross-platform keylogger, displaying the threat actors’ dedication to surveillance.
The Contagious Interview campaign, which first came to light in late 2023, has been systematic in its targeting of software engineers and job seekers. The threat actors pose as recruiters, misleading candidates into accepting coding assignments that involve downloading malicious packages hosted on platforms like GitHub or Bitbucket. This approach exploits the inherent trust that candidates place in legitimate job searches, making them more vulnerable to attacks.
This recent escalation in tactics underscores North Korean state-sponsored actors’ evolving strategies for cryptocurrency theft and data breaches, employing methods that skillfully blend malware distribution with sophisticated social engineering.
As the threat landscape continues to shift, developers and organizations must remain vigilant against such sophisticated supply chain attacks. The implications of this campaign extend far beyond individual privacy—threatening the integrity of global software development ecosystems.