A new wave of “Contagious Interview” supply-chain attacks has infected the npm registry with over 338 malicious JavaScript packages, attributed to North Korean threat actors leveraging fake recruiter personas and typosquatted dependencies.
The operation, which has amassed more than 50,000 cumulative downloads, continues to exploit social engineering and open-source ecosystems to target Web3, blockchain, and cryptocurrency developers.
The campaign demonstrates a repeatable, wave-based playbook that aligns with the Lockheed Martin Cyber Kill Chain model.
After reconnaissance via LinkedIn, where attackers impersonate recruiters offering technical job assignments, developers are directed to cloned repositories that include infected npm dependencies.
One notable instance involved a package named eslint-detector, which executed multi-stage infostealer payloads at installation.
Socket AI’s analysis revealed loader variants such as HexEval, XORIndex, and, more recently, encrypted loaders leveraging AES-256-CBC algorithms.
These loaders reconstruct the BeaverTail malware directly in memory, which then delivers InvisibleFerret, a persistent Python-based backdoor capable of credential theft, keylogging, clipboard monitoring, and remote command execution.
Unlike traditional exploits, these attacks rely on post-install scripts or import triggers in code that unsuspecting developers execute during setup.
Attackers use broad typosquatting to camouflage malicious modules. Hundreds of cloned or misspelled packages mimic core npm libraries such as expresso (for express), dotenv (for dotenv), and body-parser (for body-parser).
Others imitate popular Web3 tools, including ethrs.js, truffel, and metamask-api, tricking developers into accidental installs during coding tasks or test assignments.
Several packages, such as redux-saga-sentinel, have been found decrypting hidden hex blobs stored in innocent-looking files like LICENSE to execute obfuscated stage-two payloads.
Analysts uncovered more than a dozen command-and-control (C2) servers distributing follow-up malware through HTTP(S) and WebSocket beacons disguised as regular developer traffic (e.g., paths like /api/ipcheck and /process-log).
The infrastructure mixes raw IPs and frontend subdomains hosted on legitimate platforms such as .vercel.app to avoid detection. Even after takedowns, at least 25 packages remain live on npm, and several threat actor accounts continue to publish under aliases like anarenhsaihan.
Security researchers urge registries to adopt layered defenses: enforce two-factor re-verification for publisher accounts, implement pre-publish security scanning, and block high-risk uploads.
Development teams should treat every npm install as code execution, scan CI/CD pipelines for obfuscated loaders or postinstall scripts, and pin trusted dependency versions.
Socket’s security suite, including CLI scanning, dependency firewalls, and browser alerts, helps detect and block such malicious packages before integration, providing crucial defense against North Korea’s enduring supply-chain infiltration across open-source ecosystems.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
