North Korean Hackers Target Developers with Malicious npm Packages: The Contagious Interview Campaign

By /

Listen to this Post

A sophisticated and ongoing cyber campaign known as the Contagious Interview is actively targeting developers through the npm ecosystem. Orchestrated by North Korean threat actors, this attack has evolved in both scale and technique. Leveraging open-source platforms such as npm, GitHub, and Bitbucket, the attackers are disguising malware as legitimate developer tools and utilities to deploy a series of dangerous payloads, including BeaverTail, InvisibleFerret, and a new remote access trojan (RAT) loader.

This campaign isn’t just about infecting machines — it’s about sustained surveillance, data exfiltration, and infiltration under the deceptive pretense of job interviews. Here’s everything you need to know.

Mitigation <

the Campaign

  • North Korean threat actors are behind a malicious campaign dubbed “Contagious Interview,” targeting developers via npm packages.
  • The malware-laced packages have collectively been downloaded over 5,600 times before removal.
  • New malware includes variants of BeaverTail, a JavaScript stealer, and a Python-based backdoor, InvisibleFerret.
  • Attackers have shifted their tactics by using hexadecimal string encoding to evade both automated and manual detection.
  • The packages pretend to be legitimate tools like loggers, debuggers, or validators.

– Some of the compromised packages include:

– `empty-array-validator`

– `twitterapis`

– `dev-debugger-vite`

– `snore-log`

– `core-pino`

– `events-utils`

– `icloud-cod`

– `cln-logger`

– `node-clog`

– `consolidate-log`

– `consolidate-logger`

  • These packages are linked to Bitbucket rather than GitHub, a noteworthy deviation in delivery tactics.
  • Some packages reside in directories named after hiring, e.g., eiwork_hire, emphasizing the “fake job interview” theme.
  • A command-and-control (C2) domain used in dev-debugger-vite was previously linked to the Lazarus Group.
  • APT actors have demonstrated adaptability by spawning new npm accounts and diversifying their malware distribution channels.
  • The newly found variants act as loaders, facilitating the download of second-stage payloads.
  • One recent campaign even deployed a new Windows backdoor named Tropidoor through an npm package disguised as a job task.
  • Tropidoor is memory-resident and uses Windows-native commands like schtasks, reg, and ping to maintain stealth.
  • The dropper chain includes files like tailwind.config.js (BeaverTail) and car.dll (RAT loader).
  • Tropidoor can steal data, wipe files, capture screenshots, and execute or kill processes.
  • These tactics resemble Lazarus Group’s previous malware, LightlessCan and BLINDINGCAN.
  • The actors are creating malware variants with minor code changes to bypass signature-based detection tools.
  • Attack vectors include phishing emails and cloned repositories hosted on Bitbucket.
  • AhnLab observed emails from a fake company “AutoSquare” urging recipients to clone a poisoned repository.
  • The infection triggers when users execute npm projects assuming it’s a job task.
  • These social engineering techniques exploit developer trust and job-seeking vulnerabilities.
  • This operation underlines the expanding reach and creativity of North Korean APTs.
  • The campaign is still ongoing and has not slowed down.
  • Researchers warn of continuous package publishing under new aliases to evade bans.
  • The group is exhibiting hallmarks of an Advanced Persistent Threat: stealth, persistence, and flexibility.
  • Devs and organizations must be vigilant with open-source dependencies, even from trusted platforms.
  • Obfuscation, hosting on multiple platforms, and multi-language payloads (JS + Python) show serious development resources.
  • Targeting South Korean developers further links this campaign to North Korean state-sponsored operations.
  • The npm registry remains a high-risk area due to limited pre-publish security checks.
  • Analysts emphasize the importance of scanning all open-source packages in CI/CD workflows.
  • This case is a chilling reminder of how supply chain attacks are becoming the new cyber warfare front.

What Undercode Say:

The Contagious Interview campaign shows a strategic shift in North Korean cyber operations, evolving from basic phishing to advanced supply chain compromise. Here’s our analysis:

1. NPM Ecosystem as a Weapon

npm is a treasure trove for attackers — widely trusted, easily exploitable. The campaign highlights how public code repositories are now attack vectors. Developers who unknowingly install malicious packages introduce threats deep into software pipelines.

2. Psychological Engineering

By framing infections as job interview tasks, the attackers exploit one of the most sensitive touchpoints — professional ambition. This blending of social engineering with technical payloads increases their success probability.

3. Multi-Platform Infection Chains

The usage of Bitbucket over GitHub indicates a calculated strategy to avoid detection. Bitbucket may be less monitored compared to GitHub, allowing attackers more room to operate undetected.

4. Hexadecimal Obfuscation

Encoding scripts in hex showcases efforts to bypass both static and manual reviews. This small shift significantly boosts stealth, especially in open-source ecosystems where vetting is minimal.

5. Lazarus Group Evolution

Tropidoor’s memory-only execution, use of native Windows commands, and modular loader chains signal significant evolution since BLINDINGCAN. This shows Lazarus is retooling with increased sophistication, aiming for resilience and deeper system control.

6. Job-Themed Campaigns as a Persistent Trend

Lazarus has previously used fake recruiter emails. With the addition of npm packages, the campaign takes a hybrid approach — targeting both inbox and IDE.

7. Implications for the Developer Community

The trust developers place in open-source is becoming a liability. Tools like core-pino or dev-debugger-vite sound plausible, and most devs won’t vet every dependency line-by-line. Automated static analysis and endpoint behavior detection must be enforced.

8. APT Behavior in the Open

The sheer volume of package variants, shifting host platforms, and code reusability (BeaverTail + InvisibleFerret) mirrors military-grade cyber operations. Lazarus isn’t just hacking — it’s iterating like a software company.

9. Impact on CI/CD Pipelines

If even one poisoned dependency enters a CI/CD chain, it can compromise entire build systems. The threat is not local — it’s systemic.

10. Security Tools Need to Evolve

This campaign exposes the inadequacy of current supply-chain protection tools. Static scanners and even some runtime monitors fail to catch hex-encoded payloads or memory-resident backdoors.

Fact Checker Results:

  • True: The npm packages listed were indeed malicious and removed after being flagged by security researchers.
  • Verified: The C2 domain used in dev-debugger-vite has previous ties to Lazarus Group via the Phantom Circuit operation.
  • Confirmed: BeaverTail and Tropidoor are actively being used in phishing campaigns targeting South Korean developers, as reported by AhnLab.

References:

Reported By: https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: