Three malicious packages published to the npm registry in September 2024 were found to contain known malware called BeaverTail, a JavaScript downloader, and an information stealer linked to an ongoing campaign in North Korea tracked as Contagious Interview.
Datadog Security Research Team monitoring activity under the name Stubborn pungsanwhich is also known by the aliases CL-STA-0240 and Famous Chollima.
The names of the malicious packages that are no longer available for download from the package registry are listed below –
- passports-js, passport backdoor (118 downloads)
- bcrypts-js, a backdoor copy of bcryptjs (81 downloads)
- blockscan-api, a backdoor copy of etherscan-api (124 downloads)
Contagious interview refers to a annual campaign started by the Democratic People’s Republic of Korea (DPRK), which involves tricking developers into downloading malicious packages or seemingly harmless video conferencing applications as part of a coding test. He was born for the first time in November 2023.
This is not the first time that threat actors have used npm packages to distribute BeaverTail. In August 2024, supply chain security software firm Phylum opened another group of npm packages that paved the way for BeaverTail deployments and a Python backdoor called InvisibleFerret.
The names of the malicious packages discovered at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate and qq-console. One aspect shared by the two sets of packages is the continued effort by threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a constant target.
Stacklock said this last month revealed a new wave of fake packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrency and establish permanent access to compromised developer machines.
Division 42 of Palo Alto Networks told The Hacker News earlier this month that the company has found an effective way to spread malware by exploiting a job seeker’s trust and urgency when applying for opportunities online.
The findings show how threat actors are increasingly abusing the open source software supply chain as an attack vector to infect downstream targets.
“Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem,” Datadog said. “These campaigns, as well as Contagious Interview more broadly, highlight that individual developers remain valuable targets for these North Korean-related threats.”
