Full Report
Cybersecurity researchers have uncovered a fresh batch of malicious npm packages linked to the ongoing Contagious Interview operation originating from North Korea. According to Socket, the ongoing supply chain attack involves 35 malicious packages that were uploaded from 24 npm accounts. These packages have been collectively downloaded over 4,000 times. The complete list of the JavaScript
Analysis Summary
# Threat Actor: North Korea-linked Actor (Contagious Interview Operation)
## Attribution & Identity
* **Attribution:** North Korean state-sponsored threat actors.
* **Known Aliases/Associated Groups:** Contagious Interview operation, CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi.
* **Recent Campaign Name:** ClickFake Interview (for sub-cluster using ClickFix social engineering).
## Activity Summary
The actors are engaged in an ongoing supply chain attack targeting developers by uploading malicious packages to the npm registry. The specific activity detailed involves 35 malicious npm packages uploaded via 24 npm accounts, cumulatively downloaded over 4,000 times. This campaign structure, described as a "nesting-doll," is designed to evade static scanners.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Uploading malicious code (35 packages) to the npm repository.
* **Evasion:** Employing a multi-stage infection chain (nesting-doll structure) to evade detection.
* **Information Gathering:** Initial payload (HexEval) collects host information post-installation.
* **Malware Delivery:** Selective delivery of a secondary payload (BeaverTail stealer).
* **Establishing Control:** Final payload, InvisibleFerret (Python backdoor), allows remote control.
* **Data Theft:** Primary goal includes conducting cryptocurrency and data theft.
* **Lateral Capabilities:** One package shipped a cross-platform keylogger for comprehensive keystroke capture against high-value targets.
* **Social Engineering Tactic:** Recent iterations observed using the "ClickFix" social engineering tactic.
## Targeting
* **Sectors:** Developers/Software Development (targeting developer systems).
* **Geography:** Not explicitly stated, but the mechanism targets global open-source repositories (npm).
* **Victims:** Developers leveraging compromised npm dependencies. Specific organizations are not named in the summary.
## Tools & Infrastructure
* **Malware Families Used:**
* **HexEval:** Hex-encoded loader used for host information gathering and initial payload staging.
* **BeaverTail:** JavaScript stealer downloaded by HexEval.
* **InvisibleFerret:** Python backdoor executed after BeaverTail to establish remote access and data exfiltration.
* **GolangGhost** and **PylangGhost:** Malware observed in ClickFix-related iterations.
* **Cross-platform keylogger:** Specific tailored payload for deep surveillance.
* **npm Packages Involved (Examples):** `react-plaid-sdk`, `sumsub-node-websdk`, `vite-plugin-next-refresh`, `node-orm-mongoose`, etc. (35 total).
* **Infrastructure:** Not explicitly detailed beyond the npm repository used for distribution; C2/IPs/URLs are not defanged in the source text.
## Implications
This campaign highlights the persistent threat posed by North Korean actors against the software development lifecycle (SLC). The use of multi-stage payloads hidden within legitimate-looking packages suggests a sophisticated attempt to maintain persistence and conduct long-term espionage or financial theft from compromised development environments.
## Mitigations
* **Supply Chain Auditing:** Implement rigorous vetting and monitoring of all third-party and open-source dependencies (e.g., npm packages).
* **Dependency Scanning:** Utilize tools capable of static and dynamic scanning to detect obfuscated code and multi-stage payloads like HexEval.
* **Least Privilege:** Ensure development environments operate under the principle of least privilege to limit the damage from compromised libraries.
* **Monitor Post-Execution Behavior:** Watch systems for suspicious activity indicative of subsequent payloads (like information collection or installation of known credential stealers).
* **Update Status:** Be aware that some malicious packages may still be available on npm (e.g., `react-plaid-sdk`, `sumsub-node-websdk`). Organizations must check dependencies against documented malicious lists.