A major North Korean supply chain attack has been uncovered, targeting software developers through a combination of social engineering and malicious npm packages.
The campaign, attributed to threat actors behind the “Contagious Interview” operation, involves at least 35 typosquatted npm packages distributed across 24 accounts, with six still active and collectively downloaded over 4,000 times.
The attackers, linked to the Democratic People’s Republic of Korea (DPRK), employed advanced technical tactics to bypass security controls and gain persistent access to developer systems.
Technical Anatomy of the Attack
At the core of this campaign is a custom malware loader, dubbed HexEval, embedded in each malicious npm package. Upon installation, HexEval collects host metadata and decodes a follow-on script, which, when triggered, fetches and executes the BeaverTail infostealer malware.
BeaverTail then references a third-stage backdoor known as InvisibleFerret, creating a multi-layered, “nesting-doll” malware structure that evades both static analysis and manual reviews.
In some instances, the attackers deployed a cross-platform keylogger capable of capturing keystrokes on Windows, macOS, and Linux, demonstrating their ability to tailor payloads for deeper surveillance.
The threat actors leveraged typosquatting, mimicking popular npm package names such as react-plaid-sdk and reactbootstraps to trick developers into installing malicious dependencies.
Critical components, including module names and command-and-control (C2) URLs, were hex-encoded to avoid detection.
Once installed, the loader sends environment data to a C2 endpoint, retrieves a second-stage payload, and executes it via eval().
The C2 infrastructure alternates among several hardcoded endpoints, selectively serving malicious code based on runtime conditions, complicating detection and analysis.
Social Engineering
The initial access vector relies on sophisticated social engineering. North Korean operatives pose as recruiters on LinkedIn, targeting developers and engineers seeking employment.
After establishing contact, they send coding assignments often via Google Docs that require candidates to clone repositories or install npm packages containing the malicious loader.
Victims are frequently pressured to run the code outside of containerized environments and to screen-share their execution, a tactic designed to bypass sandboxing and ensure successful compromise.
Victims report that after executing the code, the fake recruiters often delete their LinkedIn profiles or block the target, erasing evidence and cutting off communication.
According to the Report, the attackers use a network of at least 19 distinct email addresses and numerous npm aliases to register malicious accounts and maintain operational security.
The second-stage BeaverTail malware is a robust infostealer and loader, targeting browser artifacts, cookies, IndexedDB files, and cryptocurrency wallets across multiple operating systems.
It dynamically adapts its behavior based on the host environment and can deploy additional payloads, such as the InvisibleFerret backdoor, for persistent access.
The campaign’s modular, multi-stage architecture enables selective targeting and minimizes on-registry footprints, reflecting a high level of technical sophistication.
This campaign highlights the evolving tradecraft of North Korean supply chain attacks, blending malware staging, OSINT-driven targeting, and social engineering.
Defenders should anticipate continued abuse of public registries and delayed second-stage malware delivery.
Proactive security tooling such as real-time pull request scanning, CLI-based package risk alerts, and browser extensions warning of malicious packages is essential to mitigate these threats. Static analysis and metadata checks are no longer sufficient against such advanced adversaries.
Indicators of Compromise (IOCs)
| Type | Value / Example |
|---|---|
| Malicious npm Packages | react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, node-orm-mongoose, router-parse, etc. |
| npm Aliases | liamnevin, pablomendes, loveryon, jtgleason, topdev0921, grace107, supercrazybug, etc. |
| Email Addresses | maria.sam.recruiter@gmail[.]com, toptalent0921@gmail[.]com, business00747@gmail[.]com, etc. |
| C2 Endpoints | hxxps://log-server-lovat[.]vercel[.]app/api/ipcheck/703 hxxps://ip-check-server[.]vercel[.]app/api/ip-check/208 hxxps://ip-check-api[.]vercel[.]app/api/ipcheck/703 172[.]86[.]80[.]145 |
| Bitbucket Repositories | hxxps://bitbucket[.]org/notion-dex/ultrax hxxps://bitbucket[.]org/zoro-workspace/ |
| SHA256 Hashes | e58864cc22cd8ec17ae35dd810455d604aadab7c3f145b6c53b3c261855a4bb1 (WinKeyServer) 30043996a56d0f6ad4ddb4186bd09ffc1050dcc352f641ce3907d35174086e15 (MacKeyServer) 6e09249262d9a605180dfbd0939379bbf9f37db076980d6ffda98d650f70a16d (X11KeyServer) |
| MITRE ATT&CK | T1195.002, T1608.001, T1204.002, T1059.007, T1027.013, T1546.016, T1005, T1082, T1083, T1217, T1555.003, T1555.001, T1056.001, T1041, T1105, T1119, T1657 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
