338 Malicious npm Packages Linked to North Korean Hackers

North Korean state-sponsored hackers escalated their ongoing Contagious Interview campaign, unleashing one of the most sophisticated supply chain attacks ever observed in the open-source ecosystem. 

Security researchers discovered 338 malicious npm packages—downloaded more than 50,000 times—engineered to target cryptocurrency and blockchain developers. 

This factory-style operation exploited both the trust inherent in open-source development and the social behaviors of technical professionals, illustrating how nation-state threat actors continue to weaponize software supply chains for financial and strategic gain.

Social engineering and the recruitment trap

The campaign begins with an elaborate social engineering phase. Threat actors pose as recruiters or hiring managers on LinkedIn, focusing on developers who specialize in blockchain, Web3, or cryptocurrency technologies. 

Victims receive what appear to be legitimate job opportunities and are asked to complete coding assignments as part of a supposed interview process.

A recent case involved a software engineer asked to clone a repository that contained a malicious npm dependency named eslint-detector. 

The package contained encrypted payloads designed to harvest browser credentials, API tokens, and cryptocurrency wallet data. 

The attackers increased the success rate of infection by introducing artificial urgency—tight interview deadlines and seemingly routine setup instructions—pressuring victims to execute npm install without reviewing the code.

This recruitment pretext allows attackers to bypass traditional phishing defenses. Because installation appears to occur within a normal development workflow, antivirus systems and endpoint protection tools often fail to flag these malicious dependencies.

Technical Sophistication and Malware Delivery

The latest wave of the Contagious Interview campaign shows significant technical evolution. Earlier variants relied primarily on BeaverTail malware droppers. 

This newer wave of attacks introduced three new loader families—HexEval, XORIndex, and encrypted loaders—that reconstruct malicious code directly in memory. 

This in-memory execution approach minimizes detectable traces on disk, frustrating static analysis and traditional malware scanning.

Once executed, these loaders typically fetch the InvisibleFerret backdoor, a cross-platform malware designed to maintain persistence and enable remote command execution. 

The attack chain leverages npm lifecycle hooks—such as postinstall—to trigger code execution automatically upon installation or import.

The malicious packages often masquerade as common dependencies used in Node.js and Express environments. Threat actors deploy typosquatted versions of widely used packages, including express, dotenv, and body-parser. 

Others imitate cryptocurrency development libraries such as ethers.js and web3.js. By exploiting developers’ trust and muscle memory, these fake packages blend seamlessly into everyday project environments.

Command and control (C2) infrastructure

Once installed, the malware connects to command and control (C2) servers through HTTP, HTTPS, or WebSocket protocols. 

Infrastructure analysis shows a hybrid setup: raw IP addresses hosted on commodity virtual private servers, paired with front-end beacons on legitimate platforms such as Vercel. 

This design helps the traffic appear benign, mimicking developer-related web requests through URIs like “/api/ipcheck” or “/process-log.”

The BeaverTail malware establishes persistence by registering the compromised host and preparing it for long-term access. It then stages InvisibleFerret, which runs on Windows, macOS, and Linux systems. 

This dual-stage approach provides attackers with a durable foothold, enabling credential theft, keylogging, and data exfiltration across multiple operating systems.

Researchers note that when malicious npm packages are discovered and removed, the attackers rapidly upload new variants under fresh aliases. This iterative tactic demonstrates the persistence and industrial-scale organization behind the campaign.

Objectives 

The ultimate goal of the Contagious Interview operation seems to be financial gain through cryptocurrency theft. Once inside a developer’s environment, the attackers can extract private keys, credentials, and wallet data—valuable assets in decentralized finance ecosystems. 

Reports suggest that North Korean threat groups collectively stole over $2 billion in 2025 alone, underscoring the profitability and scale of these operations.

The campaign also highlights broader implications for supply chain security. By compromising open-source registries like npm, threat actors can poison software pipelines globally, reaching both individual developers and major organizations downstream.  

Defensive recommendations

Defending against campaigns like Contagious Interview requires both technical controls and cultural change in development practices. 

Security researchers recommend treating every npm install as a potential code execution event. Organizations should implement automated dependency scanning and enforce pre-merge checks to validate the provenance and trustworthiness of external libraries.

Registries such as npm must also enhance account-level enforcement by suspending malicious publishers, revoking access tokens, and requiring multifactor authentication. Pre-publish screening and velocity throttling can help detect suspicious upload patterns and prevent large-scale infiltration.

For individual developers, vigilance is equally critical. Job seekers should verify recruiter identities, avoid running unverified code, and inspect dependency lists before installation.  

The North Korean Contagious Interview campaign demonstrates how state-sponsored actors continue to refine their methods by combining human deception with technical sophistication. 

By infiltrating the open-source supply chain, these attackers blur the line between trusted development practices and malicious compromise.