North Korean APT "Contagious Interview" Floods npm Registry with 338 Malicious Packages to Steal Crypto

The Socket Threat Research Team has sounded the alarm on an escalating wave of malicious npm activity linked to North Korean threat actors, who continue to weaponize the open-source software supply chain under the long-running “Contagious Interview” operation.

Since July 2025, Socket researchers have identified and analyzed more than 338 malicious packages on the npm registry, collectively exceeding 50,000 downloads. “25 of these packages remain live on the npm registry at the time of writing,” the team said, noting that takedown requests and publisher suspensions have been submitted to npm security.

The campaign blends social engineering and supply-chain compromise, targeting Web3, cryptocurrency, and blockchain developers through fake LinkedIn job offers. Threat actors pose as recruiters or hiring managers, sending victims a “coding assignment” that conceals a malicious npm dependency.

Socket described one such case: “A software engineer received a ‘job opportunity’ message, was given a repository for a quick assignment, and found an innocuous dependency named eslint-detector that contained an encrypted, obfuscated payload.” The lure was polished and industry-specific — what looked like a recruitment task was actually a staged malware delivery.

npm Supply Chain, North Korean APT — LinkedIn victim report of a job-offer lure | Image: Socket

Researchers report that over 180 fake personas were used to register new npm aliases, all part of a “wave-based and iterative” infection model. Each cycle introduces new loaders and aliases, with weekly bursts of uploads and re-uploads following takedowns.

Socket notes that the threat actors’ tooling has evolved from BeaverTail malware droppers to HexEval, XORIndex, and encrypted loaders, each capable of reconstructing BeaverTail in memory before fetching the InvisibleFerret backdoor for persistence.

“Contagious Interview is not a cybercrime hobby,” Socket warned. “It operates like an assembly line or a factory-model supply chain threat… a state-directed, quota-driven operation with durable resourcing, not a weekend crew.”

The attackers rely heavily on typosquatted npm packages mimicking popular dependencies used by developers. Among the impersonated names are express, dotenv, body-parser, helmet, morgan, and nodemailer. Socket identified variants like epxresso, dotevn, boby_parser, vaildator, and morgan-logger — convincing enough to pass casual inspection during “quick interview tasks.”

For the Web3 ecosystem, the threat actors also cloned cryptocurrency development frameworks, publishing fake packages such as ethrs.js, we3.js, and hardhat-deploy-notifier to specifically target crypto job applicants and project maintainers.

Once a malicious dependency is installed, execution begins immediately through npm lifecycle hooks or postinstall scripts. The loaders decrypt obfuscated code in memory using AES-256-CBC encryption, fetch the BeaverTail infostealer, and deploy the InvisibleFerret backdoor — a cross-platform Python agent capable of credential theft, keylogging, and remote command execution.

Socket’s AI Scanner confirmed that BeaverTail steals browser credentials, crypto-wallet data, and macOS Keychain items, while InvisibleFerret ensures persistence across Windows, macOS, and Linux environments.

Socket observed that some npm publisher accounts remained active even after their malicious packages were removed, allowing threat actors to re-upload under new names. The research team warned that simply deleting individual packages is “insufficient if the associated publisher account remains active.”

The operation’s monetization phase focuses on cryptocurrency theft and developer credential compromise. External reports estimate North Korea-linked groups have already stolen over $2 billion in 2025, following $1.3 billion in 2024.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply