Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Hackers Deploy Malicious npm Packages

August 30, 2024
Reading Time: 2 mins read
in Alerts
Hackers Deploy Malicious npm Packages

North Korean hackers have launched a new campaign targeting software developers by publishing a series of malicious npm packages to the registry between August 12 and 27, 2024. The packages, including temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console, are part of a coordinated effort to distribute malware and steal cryptocurrency assets. Security firm Phylum has linked the qq-console package to the “Contagious Interview” campaign, which tricks developers into downloading fake job interview tools that secretly install malware.

The Contagious Interview campaign is designed to deploy a Python-based malware known as InvisibleFerret, which exfiltrates sensitive data from cryptocurrency wallet browser extensions and establishes persistence on the infected host. This is achieved using legitimate remote desktop software like AnyDesk. CrowdStrike, a prominent cybersecurity firm, tracks this activity under the moniker Famous Chollima. The attackers leverage these techniques to infiltrate the systems of unsuspecting developers, enabling them to steal valuable data and assets.

A notable aspect of this campaign is the use of a new approach in the helmet-validate package, which embeds a JavaScript file named config.js that executes code hosted on a remote domain. This domain has been linked to previous attacks, further connecting the current activity to past campaigns. Additionally, another package, sass-notification, was uploaded on August 27, 2024, and shares characteristics with other malicious npm libraries attributed to another North Korean group, Moonstone Sleet. These packages often use obfuscated JavaScript to execute scripts that download, decrypt, and execute remote payloads, leaving behind minimal traces of malicious activity.

Famous Chollima has also been linked to insider threat operations, where attackers infiltrate corporate environments by posing as legitimate IT workers. Using falsified or stolen identity documents, these insiders gain employment at target companies and perform minimal tasks while exfiltrating data using tools like Git, SharePoint, and OneDrive. They also utilize remote management tools to maintain access to victim networks. CrowdStrike’s investigation revealed that Famous Chollima has targeted over 100 companies across various sectors, including technology, fintech, and retail, in countries such as the U.S., Saudi Arabia, and France. While financially motivated, some attacks have involved the exfiltration of sensitive corporate information.

Reference:

  • North Korean Hackers Exploit Developers in New Malicious npm Packages Campaign
Tags: August 2024Cyber AlertsCyber Alerts 2024Cyber threatsDevelopersHackersNorth KoreaNPM packagesSoftware
ADVERTISEMENT

Related Posts

FreeDrain Phishing Steals Crypto Funds

FBI Warns Cybercriminals Exploit Routers

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

X Scam Targets Crypto Users with Fake Ads

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

FreeDrain Phishing Steals Crypto Funds

May 9, 2025
COLDRIVER Hackers Target Sensitive Data

COLDRIVER Hackers Target Sensitive Data

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

CoGUI Targets Consumer and Finance Brands

May 8, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial