.webp?w=696&resize=696,0&ssl=1 "North Korean Hackers")
A sophisticated and ongoing supply chain attack orchestrated by North Korean hackers has targeted software developers using fake job offers and malicious npm packages.
Security researchers from Socket’s Threat Research Team have uncovered a campaign that leverages typosquatted npm packages and social engineering to deliver multi-stage malware.
The operation, linked to North Korea’s “Contagious Interview” threat group, has so far published 35 malicious packages across 24 npm accounts, with six still active at the time of reporting, and has been collectively downloaded over 4,000 times.
Malicious Payloads and Multi-Stage Attacks
The threat actors employ a clever, multi-layered approach to infection. Each malicious npm package contains a hex-encoded loader dubbed HexEval.
Upon installation, HexEval collects host metadata, including the operating system, hostname, username, and MAC addresses.
It then decodes and executes a follow-on script, which in turn fetches and runs second-stage malware called BeaverTail an advanced infostealer linked to North Korean hackers.
BeaverTail scans the victim’s system for browser data, cryptocurrency wallets, and other sensitive files, and can download a third-stage backdoor known as InvisibleFerret for persistent control.
To evade detection, the hackers encode module names and command-and-control (C2) server URLs as hexadecimal strings, only decoding them at runtime. This technique thwarts static analysis tools and manual code reviews.
The C2 infrastructure includes endpoints hosted on Vercel, such as:
- hxxps://log-server-lovat[.]vercel[.]app/api/ipcheck/703
- hxxps://ip-check-server[.]vercel[.]app/api/ip-check/208
- hxxps://ip-check-api[.]vercel[.]app/api/ipcheck/703
These endpoints often return benign data or nothing, serving malicious payloads only under specific conditions, which makes detection even harder.
Social Engineering and Targeted Developer Attacks
The campaign begins with social engineering, as threat actors create fake recruiter profiles on LinkedIn and approach job-seeking developers with enticing remote job offers, some promising salaries as high as $25,000 per month.
After initial contact, victims are sent coding assignments via Google Docs or Bitbucket repositories, which include malicious npm packages as dependencies.
The attackers pressure candidates to run code outside of containerized environments while screen-sharing, ensuring full infection and bypassing security controls.
Victim reports on Reddit and other forums describe consistent patterns: fake recruiters delete their LinkedIn profiles or block victims after delivering the malicious code, and job descriptions and communication scripts are reused across multiple personas.
The attackers use at least 19 distinct email addresses to register NPM accounts, many of which are crafted to mimic recruiter identities.
Technical Defenses and Recommendations
The campaign highlights the evolving tactics of nation-state actors in supply chain attacks, blending malware staging, OSINT-driven targeting, and social engineering. Traditional static analysis and package metadata checks are insufficient against these threats.
Developers and organizations are encouraged to adopt advanced security tooling, including real-time pull request scanning, CLI-based dependency risk analysis, and browser extensions that alert to malicious packages.
Socket’s GitHub App, CLI, and browser extension offer layered defenses, alerting teams to suspicious dependencies before they reach production systems.
Defenders must remain vigilant, as similar attacks are likely to continue targeting public package registries like npm.
.webp?resize=1600,900&ssl=1&description=North Korean Hackers - A sophisticated and ongoing supply chain attack orchestrated by North Korean hackers has targeted software developers.){kind=link}