North Korean Hackers Target Developers with Malicious npm Packages in Job Scam

A new wave of North Korea’s “Contagious Interview” campaign targets software developers with malicious npm packages disguised as legitimate job-related coding tasks. Security researchers at Socket Threat Research uncovered 35 such packages, which deploy the BeaverTail info-stealer and InvisibleFerret backdoor, both tools previously linked to North Korean state-sponsored actors.

These malicious packages, uploaded through 24 npm accounts, have been downloaded over 4,000 times. As of now, six remain live on npm.

Several packages mimic popular libraries (a technique known as typosquatting), making them especially deceptive. Examples include:

• react-plaid-sdk, reactbootstraps
  
• vite-plugin-next-refresh, vite-loader-svg
  
• node-orm-mongoose
  
• chalk-config
  
• nextjs-insight
  
• struct-logger, logbin-nodejs
  

The campaign’s victims are mostly developers approached on LinkedIn by operatives posing as recruiters. These “recruiters” send fake job assessments hosted on Bitbucket, instructing candidates to clone and run projects embedded with malware, often pressuring them to do so outside sandboxed environments while screen sharing.

The infection begins with the HexEval Loader, which fingerprints the victim’s system and fetches BeaverTail. BeaverTail steals browser data, including crypto wallets, and downloads InvisibleFerret, a persistent backdoor that allows full remote access. Some victims are also infected with a cross-platform keylogger, likely used only on high-value targets.

Researchers warn developers to be cautious of unsolicited job offers, especially ones involving coding assignments. Unknown code should always be run in secure environments like containers or VMs.

This is not the first instance of North Korean hackers using NPM for such campaigns; similar activity was reported in March, attributed to the Lazarus Group.