North Korean APT Launches Massive npm Supply Chain Attack: Typosquatting & Fake Jobs Steal Crypto from Devs
A new wave of malicious npm packages has been uncovered, linked to the ongoing Contagious Interview operation, which has been attributed to North Korean threat actors. The discovery was made by the cybersecurity firm Socket, which specializes in software vulnerability analysis.
According to the report, attackers published 35 malicious packages using 24 different npm accounts. Combined, these packages have already been downloaded over 4,000 times. Among the compromised libraries are well-known modules such as “react-plaid-sdk,” “sumsub-node-websdk,” “vite-plugin-next-refresh,” and “node-orm-mongoose,” along with several others. As of now, six of these packages remain available for download on the npm platform.
Socket’s researchers identified that all the infected packages include a covert loader named HexEval. This tool is silently installed upon package execution and is designed to collect information about the compromised system. In the next stage, it can fetch additional malware—namely the JavaScript-based stealer known as BeaverTail.
BeaverTail functions as a secondary payload, enabling the deployment and execution of the Python-based backdoor InvisibleFerret, which grants attackers remote access and the ability to exfiltrate sensitive data from infected devices.
According to Kirill Boychenko of Socket, the multi-layered structure of this malware toolkit is crafted to bypass conventional security controls, including static analysis and manual code audits. Furthermore, evidence was found that one of the attackers’ npm accounts also distributed a cross-platform keylogger—a tool for silently recording keystrokes—thus greatly expanding the scope of stolen information.
The Contagious Interview campaign was first publicly documented by Palo Alto Networks’ Unit 42 in late 2023. Its primary objective is to infiltrate developers’ machines in order to steal cryptocurrency and sensitive data. The actors behind this campaign are tracked under numerous aliases, including CL-STA-0240, DeceptiveDevelopment, DEVPOPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
More recent incidents have involved a separate social engineering ploy dubbed ClickFake Interview. In this scenario, victims are lured under the pretense of a job interview and are sent malicious links to GitHub or Bitbucket repositories containing infected npm packages.
Experts note that attackers are exploiting the inherent trust developers and job seekers place in recruiters. The attack sequence typically unfolds with fictitious recruiters initiating contact via LinkedIn, offering enticing job opportunities, and then sharing “technical assessments” embedded with malicious code.
Victims often run these projects in default environments without proper containerization, which facilitates the compromise. This blend of social engineering, supply chain infection, and evasion tactics illustrates the attackers’ high level of sophistication and their continuous evolution.
Socket warns that the tactics employed by North Korean cyber actors reflect a growing trend in targeting software supply chains. By embedding malware into popular open-source libraries, disguising threats as innocuous tasks, and leveraging fake employment offers, these actors are effectively bypassing traditional security perimeters to directly infect developer systems.
