North Korean hackers deploy malware during technical job interview via malicious software packages
Take action: Never install "interview tools" or npm packages directly on your main computer - always use a virtual machine or isolated environment for any software a potential employer asks you to test. Before installing anything, verify the hiring organization by independently checking their website and public media, cross-reference to google maps and ask for other experiences on Reddit.
Learn More
North Korean state-sponsored threat are using Node Package Manager (npm) registry packates to deploy malware. The malware is distributed via 67 malicious packages that have collectively garnered over 17,000 downloads before detection.
This campaign is another example of the ongoing "Contagious Interview" operation. The malicious packages were deployed to the npm ecosystem through 18 different accounts registered with 15 distinct email addresses. Even after discovery 27 packages remain active on the registry. The Socket Threat Research Team, who discovered this campaign, submitted takedown requests to the npm's security team and petitioned for the suspension of the associated accounts.
The Contagious Interview campaign has been active since November 2023. The campaign primarily targets developers, cryptocurrency holders, and individuals with sensitive credentials via social engineering tactics.
- The attackers exploit job search platforms such as LinkedIn to pose as prospective employers with job opportunities for developers.
- They set up fake websites and distribute malicious software under the guise of professional development tools.
The malicious packages were designed to mimic legitimate software projects and libraries. Some of the package names included:
- vite-meta-plugin
- vite-postcss-tools
- vite-logging-tool
- vite-proc-log
- pretty-chalk
- postcss-preloader
- js-prettier
- flowframe
- figwrap
- eth-auditlog
- springboot-js
- tailwind-base-theme
- midd-js, middy-js
When victims install any of these packages, a 'postinstall' script executes to launch the XORIndex Loader, which collects host information including hostname, username, external IP address, geolocation data, and platform information. This information is sent to a command and control (C2).
The C2 servers respond with one or more JavaScript payloads that are executed on the victim's system using eval() functions. These payloads install an infostealer. The infostealer scans for dozens of known desktop wallet directories and browser extension paths, archives the collected data, and exfiltrates it to an external server.
The infostealer downloads additional malware, including a backdoor used for hackers to keep access to the compromised systems.
Organizations and developers should be very careful about "interview tools" to be installed. Ideally, these tools should be run in a virtual machine so even if it's a malware, it doesn't expose the computer. Also, do a very detailed check of the "hiring organization" before accepting to install anything on your computer.
