The North Korean threat actors responsible for the Contagious Interview campaign have expanded their tactics by introducing new malicious packages on the npm ecosystem. These packages deliver BeaverTail malware and a new remote access trojan (RAT) loader, aiming to infiltrate developer systems. The attackers have employed sophisticated obfuscation techniques, including hexadecimal string encoding, to bypass detection by automated systems and manual code audits. The malicious packages were downloaded over 5,600 times before their removal, indicating their effectiveness in targeting unsuspecting developers.
The goal of this campaign is to steal sensitive data and maintain long-term access to compromised systems. The attackers use social engineering techniques, masquerading as legitimate job interview processes, to trick developers into downloading the malicious packages. These newly identified npm libraries, such as dev-debugger-vite and icloud-cod, have been linked to Bitbucket repositories and use command-and-control addresses previously associated with the Lazarus Group’s operations. Some packages even contain minor code variations to increase the success rate of the attack, demonstrating the persistent and evolving nature of the threat.
In addition to stealing credentials and financial data, the malware used in these packages can scan for Solana wallet IDs and exfiltrate data from web browsers like Brave, Chrome, and Opera. Some of the malware is also capable of stealing keychain data from macOS systems. This highlights the cross-platform capabilities of the campaign, which continues to pose a significant risk to developers and organizations. The attackers have also employed advanced techniques like rotating endpoints to ensure payload delivery, even if individual domains are blocked.
Security researchers have identified several npm accounts and repositories linked to the campaign, such as taras_lakhai and mvitalii. These accounts have been used to distribute the malicious packages, which masquerade as utilities for debugging, logging, and API handling. Developers are urged to implement security measures like dependency auditing tools and to scrutinize repositories linked to npm packages to avoid falling victim to this ongoing threat. The campaign illustrates the growing sophistication and persistence of the Lazarus Group’s operations.
