Full Report
A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors. [...]
Analysis Summary
# Threat Actor: Unattributed Actor (Associated with NPM Ecosystem Attacks)
## Attribution & Identity
The actor is currently unattributed in this specific campaign, though the mechanism of attack (malicious package distribution) is similar to tactics previously employed by **Lazarus Group** (North Korean hackers), who were caught submitting malicious packages on npm last March. The activity revolves around leveraging the software supply chain via the npm ecosystem.
## Activity Summary
The current campaign involves a new wave of attacks targeting software developers via "fake interviews" offering lucrative remote job opportunities. The attackers uploaded 35 malicious npm packages designed to compromise developers who install them.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Injecting malicious code into public npm packages.
- **Stage 1 Execution (Host Fingerprinting/C2 Check-in):** Execution of **HexEval Loader** upon installation, which fingerprints the host and contacts the C2 server.
- **Dynamic Payload Retrieval:** Use of `'eval()'` to fetch and execute the second-stage payload.
- **Information Stealing/Loading:** Delivery and execution of **BeaverTail**, an info-stealer and malware loader.
- **Persistence & Remote Access:** Delivery of **InvisibleFerret**, a cross-platform persistent backdoor (delivered as a ZIP file).
- **Evasion/Surveillance:** Deployment of a cross-platform keylogger that hooks into low-level input events for real-time surveillance.
The article does not explicitly list MITRE ATT&CK IDs.
## Targeting
- **Sectors:** Software development community; individuals seeking remote job opportunities.
- **Geography:** Not explicitly stated, but the use of npm suggests targeting a global software development audience.
- **Victims:** Software developers who ingest and execute suspicious code from the npm registry.
## Tools & Infrastructure
- **Malware families used:**
- HexEval Loader (Stage 1 Loader/C2 contact)
- BeaverTail (Stage 2: Multi-platform info-stealer, steals browser data, cookies, and crypto wallets)
- InvisibleFerret (Stage 3: Cross-platform persistent backdoor)
- Cross-platform Keylogger (Final stage/selective high-value deployment)
- **Infrastructure:** Command-and-Control (C2) servers contacted by HexEval Loader. (Specific C2 details were not provided in the summary context.)
## Implications
This campaign highlights a significant and ongoing threat to the software supply chain, specifically targeting developers through social engineering related to job opportunities. Successful compromise grants attackers deep, persistent access to developer machines, risking intellectual property theft, credential compromise, and further downstream supply chain attacks.
## Mitigations
- Treat job invitations requiring the execution of unknown code with caution.
- Always run unknown or newly installed code (especially from untrusted sources) within isolated environments, such as containers or virtual machines, before executing them on the primary operating system.