- Security researchers have spotted 67 malicious plans on NPM
- The packages are part of the contagious interview campaign
- They are most likely deployed by North Korean attackers
North Korean pirates have been seen pushing dozens of malicious NPM packages in order to compromise Western technology products through supply chain attacks.
Cybersecurity researchers Socket claim that the last push of 67 malicious plans is only the second stage of a previous attack, in which 35 packages were published, as part of a campaign entitled Contagious Interview.
“The contagious interview operation continues to follow a Whack-A-Mole dynamic, where defenders detect and signal malicious plans, and actors in the North Korean threat reacting quickly by downloading new variants using the same game manuals, similar or slightly evolved,” said Kirill Boychenko.
Thousands of victims
Downloading the malware to NPM is only a configuration. The real attack most likely occurs elsewhere – on LinkedIn, Telegram or Discord. North Korean attackers would present themselves as recruiters, or human resources managers in large renowned technological companies and would contact software developers offering work.
The interview process includes several cycles of talks and ends with a test assignment. This test assignment requires the job seeker to download and run an NPM package, where the person ends up with a compromised device. Obviously, this does not mean that other people could not accidentally download contaminated packages.
Cumulatively, the packages have attracted more than 17,000 downloads, which is quite the attack surface.
North Koreans are sadly famous for their false jobs and the false scams of employees, whose objectives generally vary between cyber-spying and financial flight. If they do not steal intellectual property or proprietary data, they steal cryptocurrencies that the government uses to finance the state apparatus and its nuclear weapons program.
The campaigns deploy all kinds of malicious software, to infostelle it with beavertail, through the Xorindex, Hexeval charger and many others.
“The actors of the threat of contagious interviews will continue to diversify their portfolio of malicious software, turning via new alias of NPM maintainer, reusing chargers such as the Hexeval charger and families of malware like Beavertail and InvisibleFerret, and the actively deployment of newly observed variants, including the charger Xorindex”, concluded researchers.
Via The Hacker News
