The threat actors from North Korea associated with the ongoing Contagious Interview campaign have been discovered spreading their malicious activities to the npm ecosystem. They have published multiple malicious packages that deliver the BeaverTail malware and a new remote access trojan (RAT) loader.
According to Socket security researcher Kirill Boychenko, these latest samples utilize hexadecimal string encoding to evade detection by automated systems and manual code audits, indicating a shift in the threat actors’ obfuscation techniques.
The following packages, which were downloaded over 5,600 times prior to their removal, are among those affected –
- empty-array-validator
- twitterapis
- dev-debugger-vite
- snore-log
- core-pino
- events-utils
- icloud-cod
- cln-logger
- node-clog
- consolidate-log
- consolidate-logger
This discovery comes nearly a month after six npm packages were found to be distributing BeaverTail, a JavaScript stealer capable of delivering a Python-based backdoor known as InvisibleFerret.
The ultimate goal of this campaign is to infiltrate developer systems under the guise of a job interview process, steal sensitive data, siphon financial assets, and maintain long-term access to compromised systems.
One of the packages, dev-debugger-vite, uses a command-and-control (C2) address previously linked to the Lazarus Group in a campaign known as Phantom Circuit in December 2024.
What’s notable about these packages is that some, such as events-utils and icloud-cod, are connected to Bitbucket repositories, rather than GitHub. Additionally, the icloud-cod package is hosted within a directory named “eiwork_hire,” emphasizing the threat actor’s use of interview-related themes to initiate the infection.
An analysis of the packages, including cln-logger, node-clog, consolidate-log, and consolidate-logger, has revealed minor variations in the code, suggesting that the attackers are releasing multiple malware variants to increase the campaign’s success rate.
Despite the variations, the malicious code embedded within the four packages functions as a remote access trojan (RAT) loader capable of propagating a next-stage payload from a remote server.
According to Boychenko, “The Contagious Interview threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down.
“The advanced persistent threat (APT) group is diversifying its tactics — publishing new malware under fresh aliases, hosting payloads in both GitHub and Bitbucket repositories, and reusing core components like BeaverTail and InvisibleFerret alongside newly observed RAT/loader variant.”
BeaverTail Drops Tropidoor
Meanwhile, South Korean cybersecurity company AhnLab has detailed a recruitment-themed phishing campaign that delivers BeaverTail, which is then used to deploy a previously undocumented Windows backdoor codenamed Tropidoor. According to AhnLab, BeaverTail is being actively used to target developers in South Korea.
The email message claimed to be from a company called AutoSquare and contained a link to a project hosted on Bitbucket, urging the recipient to clone the project locally to review their understanding of the program.
The application was an npm library containing BeaverTail (“tailwind.config.js”) and a DLL downloader malware (“car.dll”), the latter of which was launched by the JavaScript stealer and loader.
Tropidoor is a backdoor that operates in memory through the downloader and can contact a C2 server to receive instructions, enabling it to exfiltrate files, gather drive and file information, run and terminate processes, capture screenshots, and delete or wipe files by overwriting them with NULL or junk data.
Notably, Tropidoor directly implements Windows commands such as schtasks, ping, and reg, a feature previously observed in another Lazarus Group malware called LightlessCan, itself a successor of BLINDINGCAN (aka AIRDRY aka ZetaNile).
AhnLab advises users to be cautious with email attachments and executable files from unknown sources.
