Full Report
2025-06-24 • Socket • Socket • js.beavertail, py.invisibleferret Open article on Malpedia
Analysis Summary
# Tool/Technique: Malicious npm Packages (Contagious Interview Campaign)
## Overview
This refers to a recent campaign attributed to North Korean actors involving the distribution of 35 newly created malicious npm packages designed to compromise software development environments.
## Technical Details
- Type: Malware/Supply Chain Attack (via npm registry)
- Platform: JavaScript/Node.js development environments
- Capabilities: Typically involve dependency confusion, malicious code execution upon package installation, likely for information theft or further system compromise.
- First Seen: Reported around June 2025.
## MITRE ATT&CK Mapping
*Given the context of malicious npm packages, the primary mapping focuses on supply chain compromise and initial execution.*
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain: Compromise Software Component
- T1059 - Command and Scripting Interpreter
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File
## Functionality
### Core Capabilities
- Exploiting the npm ecosystem trust mechanism.
- Delivering potentially malicious JavaScript payloads through package dependencies.
- Code execution triggered during the package installation, build, or execution lifecycle of a legitimate project.
### Advanced Features
The article context strongly suggests that these packages are part of a broader, coordinated campaign ("Contagious Interview Campaign") run by a specific threat actor group, indicating targeted infrastructure and possibly credential harvesting or further secondary stage deployment (like `js.beavertail` or `py.invisibleferret` mentioned in the metadata, though details on those specific payloads are not provided in the summary text).
## Indicators of Compromise
*No specific IOCs are detailed in the provided summary text, only the existence of 35 packages.*
- File Hashes: [Not provided]
- File Names: [Malicious npm package names - Not provided]
- Registry Keys: [Not provided]
- Network Indicators: [Not provided - Likely C2 or exfiltration destinations associated with the payload within the packages]
- Behavioral Indicators: [Execution of post-install scripts or life-cycle hooks within the npm environment]
## Associated Threat Actors
- North Korean Actors (Implied by the campaign description)
## Detection Methods
- Signature-based detection: Scanning package dependencies for known malicious code patterns or hashes (if disclosed).
- Behavioral detection: Monitoring processes spawned during `npm install` or `npm run` for unusual network connections or file system access.
- YARA rules: If the inner payloads are identified.
## Mitigation Strategies
- Strict dependency review: Minimizing the use of third-party packages, especially those with recent creation dates or low downloads/trust scores.
- Using private registries or private package mirroring to vet components before deployment.
- Implementing Least Privilege for build and deployment environments.
- Scanning package manifest files (`package.json`) for unusual post-install scripts.
## Related Tools/Techniques
- Supply chain attacks utilizing other package managers (e.g., Python PyPI, RubyGems).
- Dependency confusion techniques.
- Specific payloads mentioned in the metadata: `js.beavertail`, `py.invisibleferret` (requiring further analysis of the full report).