![[The AI Show Episode 155]: The New Jobs AI Will Create, Amazon CEO: AI Will Cut Jobs, Your Brain on ChatGPT, Possible OpenAI-Microsoft Breakup & Veo 3 IP Issues](https://www.marketingaiinstitute.com/hubfs/ep%20155%20cover.png)
_lNsUgO2.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#){kind=tracking}
![Mercedes, Audi, Volvo Reject Apple's New CarPlay Ultra [Report]](https://www.iclarified.com/images/news/97711/97711/97711-640.jpg)
North Korean Hackers as Recruiters Attacking Developers With 35 New Malicious npm Packages
North Korean threat actors have launched a sophisticated supply chain attack campaign, embedding 35 malicious npm packages across 24 compromised accounts to target software developers through an elaborate recruitment deception. The campaign, identified as an extension of the ongoing “Contagious Interview” operation, represents a significant escalation in state-sponsored cyber espionage tactics targeting the open-source software […] The post North Korean Hackers as Recruiters Attacking Developers With 35 New Malicious npm Packages appeared first on Cyber Security News.
North Korean threat actors have launched a sophisticated supply chain attack campaign, embedding 35 malicious npm packages across 24 compromised accounts to target software developers through an elaborate recruitment deception.
The campaign, identified as an extension of the ongoing “Contagious Interview” operation, represents a significant escalation in state-sponsored cyber espionage tactics targeting the open-source software ecosystem.
These malicious packages collectively accumulated over 4,000 downloads before detection, with six packages remaining active on the npm registry at the time of discovery.
The attack leverages a multi-layered social engineering approach where threat actors impersonate recruiters on LinkedIn, approaching job-seeking developers with lucrative employment opportunities advertised at salaries ranging from $192,000 to $300,000 annually.
The fake recruiters distribute coding assignments through Google Docs that direct victims to clone repositories or install specific npm packages, which serve as delivery mechanisms for the malicious payload.
The campaign’s sophistication extends beyond traditional malware distribution, incorporating detailed victim profiling through open-source intelligence gathering to personalize outreach and enhance credibility.
Socket.dev analysts identified this campaign through their threat research team’s ongoing monitoring of the npm ecosystem, uncovering a complex malware architecture designed to evade detection while maintaining persistent access to compromised systems.
The researchers noted that the threat actors have evolved their tactics since earlier campaigns, transitioning from directly embedding obfuscated malware to implementing a more sophisticated loader system that fetches payloads on demand, leaving minimal forensic evidence in package registries.
The attack chain employs a nested deployment strategy featuring three distinct malware components: HexEval Loader serves as the initial infection vector, BeaverTail functions as a comprehensive information stealer, and InvisibleFerret provides backdoor capabilities for sustained access.
This layered architecture enables the attackers to maintain operational security while adapting their payloads based on target value and environment constraints.
.webp)
The campaign demonstrates advanced tradecraft through its use of tyrosquatted package names mimicking legitimate libraries, conditional payload delivery based on execution environment analysis, and integration of cross-platform keylogging capabilities for enhanced surveillance.
The threat actors employed compelling social engineering tactics that exploit the trust relationship between job seekers and recruiters, often pressuring victims to bypass containerized environments and execute code directly on host systems during screen-sharing sessions.
This approach reflects a deep understanding of developer workflows and security practices, specifically targeting the moment when developers are most vulnerable to social manipulation through the promise of career advancement.
HexEval Loader: A Sophisticated Evasion Mechanism
The HexEval Loader represents the campaign’s primary technical innovation, functioning as a compact malware delivery system designed to circumvent static analysis and manual code reviews.
The loader employs hexadecimal encoding to obfuscate critical components including module names, command-and-control endpoints, and execution logic, making cursory inspection unlikely to reveal malicious intent.
The technical implementation demonstrates sophisticated evasion techniques through its deceptively simple structure.
The core functionality centers around a hex-decoding function that converts obfuscated strings back to their ASCII representations at runtime:-
function g(h) {
return h.replace(/../g, m => String.fromCharCode(parseInt(m, 16)));
}
const hl = [
g('72657175697265'), // require
g('6178696f73'), // axios
g('706f7374'), // post
g('687474703a2f2f69702d636865636b2d7365727665722e76657263656c2e6170702f6170692f69702d636865636b2f32'),
g('7468656e') // then
];This encoding strategy effectively masks the loader’s network communication capabilities and module dependencies from automated scanning tools that rely on string-based pattern matching.
The loader establishes communication with command-and-control infrastructure through HTTPS POST requests, transmitting comprehensive system fingerprinting data including environment variables, operating system details, hostname information, and MAC addresses for device identification.
The payload retrieval mechanism demonstrates conditional execution logic, where the remote servers selectively deliver malicious code based on request characteristics, execution environment analysis, or other runtime conditions.
This approach complicates detection efforts and enables the threat actors to maintain operational security by avoiding payload delivery to security research environments or automated analysis systems.
The retrieved second-stage payload executes through JavaScript’s eval() function, enabling arbitrary code execution while maintaining minimal static footprint within the package registry.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post North Korean Hackers as Recruiters Attacking Developers With 35 New Malicious npm Packages appeared first on Cyber Security News.
