North Korean APT Launches Massive npm Supply Chain Attack: Typosquatting & Fake Jobs Steal Crypto from Devs

In a detailed expose, the Socket Threat Research Team has uncovered an ongoing and highly targeted supply chain attack attributed to North Korean threat actors, believed to be linked to the “Contagious Interview” campaign. The attackers are leveraging typosquatted npm packages and sophisticated social engineering to compromise developers and software engineers actively seeking jobs.

The attackers have published 35 malicious npm packages using 24 npm accounts, with six still live at the time of reporting—including react-plaid-sdk, sumsub-node-websdk, and vite-loader-svg. Together, these have been downloaded over 4,000 times.

Each package contains a malicious hex-encoded JavaScript loader known as HexEval. Socket describes its role:

“HexEval Loader collects host metadata, decodes its follow-on script, and, when triggered, fetches and runs BeaverTail, the infostealing second-stage malware linked to the Democratic People’s Republic of Korea (DPRK) attackers.”

This layered malware structure—HexEval → BeaverTail → InvisibleFerret—evades static code scans and leaves little forensic trace in the npm registry.

The campaign begins with convincing social engineering. North Korean operatives masquerade as recruiters on LinkedIn and lure developers with lucrative job offers (e.g., $16,000–$25,000/month). The attackers deliver code assignments embedded with malicious packages, urging victims to execute them outside containerized environments while screen-sharing.

“Victims are approached with lucrative job offers… instructing blockchain developers to interact with a Bitbucket repository as part of a fake recruitment process.”

Once the code is executed, HexEval transmits environment data to a C2 server and fetches BeaverTail, a second-stage malware that targets browser cookies, IndexedDB data, cryptocurrency wallets, and macOS Keychain files. Socket notes:

“BeaverTail scans local file systems… including Brave, Chrome, and Opera profiles. It attempts to extract files like Solana’s id.json and Exodus wallet data.”

The malware adapts dynamically to Windows, macOS, and Linux hosts. In some cases, a third-stage backdoor—InvisibleFerret—is also deployed.

Several packages contain reconnaissance scripts that fingerprint the host:

// Host fingerprinting
const data = {
  ...process.env,                     // Extract environment variables
  platform:   os.platform(),          // Operating system 
  hostname:   os.hostname(),          // Machine host name
  username:   os.userInfo().username, // Current user account
  macAddresses: getMacAddress()       // MAC address for device fingerprinting
};

In the case of jsonsecs, a cross-platform keylogger was also embedded, hooking into OS-level input functions to capture keystrokes in real-time.

“The jsonsecs package includes compiled native binaries… enabling exfiltration or real-time surveillance by the threat actors.”

The attackers are evolving. Socket notes a shift from directly embedding malware to a modular, fetch-on-demand approach using HexEval. This makes detection harder and delays the execution of payloads until runtime conditions are met.

Socket warns:

“The campaign is still active, and we expect additional malicious packages to surface.”

They recommend developers:

• Avoid installing npm packages from unfamiliar or suspicious accounts.
• Use sandboxed or containerized environments for running unknown code.
• Check for typosquatting and inspect the source code of dependencies.
• Use automated supply chain security tools that detect behavior-based anomalies.

Related Posts:

• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• North Korean APT Lazarus Uses Malicious npm Package to Target Developers
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
• Developers Targeted: North Korean Hackers Deploy “BeaverTail” Malware via NFTs
• Cyber Espionage Campaign: North Korean Actors Deploy BeaverTail and InvisibleFerret

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.