TZUTC: -0500
MSGID: 1234.consprcy@1:2320/105 2cdcfda7
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
North Korean hackers release malware-ridden packages into npm registry

Date:
Tue, 15 Jul 2025 15:58:00 +0000

Description:
A second wave of tainted packages was spotted on npm, likely part of a larger
campaign.

FULL STORY

North Korean hackers have been seen pushing dozens of malicious packages to
npm in an attempt to compromise western technology products through supply
chain attacks. 

Cybersecurity researchers Socket claim the latest push of 67 malicious
packages is just the second leg of a previous attack, in which 35 packages
were published, as part of a campaign called Contagious Interview. 

"The Contagious Interview operation continues to follow a whack-a-mole
dynamic, where defenders detect and report malicious packages, and North
Korean threat actors quickly respond by uploading new variants using the 
same, similar, or slightly evolved playbooks," Socket researcher Kirill
Boychenko said.

Thousands of victims 

Uploading malicious code to npm is just a setup. The real attack most likely
happens elsewhere - on LinkedIn, Telegram, or Discord. North Korean attackers
would pose as recruiters, or HR managers in large, reputable tech companies,
and would reach out to software developers offering work. 

The interview process includes multiple rounds of talks and concludes with a
test assignment. That test assignment requires the job seeker to download and
run an npm package, which is where the person ends up with a compromised
device. Obviously, that doesnt mean that other people couldnt accidentally
download tainted packages, as well. 

Cumulatively, the packages attracted more than 17,000 downloads, which is
quite the attack surface. 

North Koreans are infamous for their fake job and fake employee scams, whose
goals usually vary between cyber-espionage and financial theft. If theyre not
stealing intellectual property or proprietary data, then theyre stealing
cryptocurrencies which the government uses to fund the state apparatus and 
its nuclear weapons program. 

The campaigns deploy all sorts of malware , from the BeaverTail infostealer,
across XORIndex Loader, HexEval, and many others. 

"Contagious Interview threat actors will continue to diversify their malware
portfolio, rotating through new npm maintainer aliases, reusing loaders such
as HexEval Loader and malware families like BeaverTail and InvisibleFerret,
and actively deploying newly observed variants including XORIndex Loader," 
the researchers concluded. 

 Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/north-korean-hackers-release-malware-ri
dden-packages-into-npm-registry

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426