Posted by CCIE Academy | www.ccieacademy.org
Stay updated: https://ccieacademy.org/blogs/
The North Korea Supply Chain Attack is actively targeting developers using malicious npm packages in a coordinated supply chain operation. This North Korea attack focuses on spreading malware and stealing sensitive data through popular development tools, posing a serious threat to the software supply chain.
Cybersecurity researchers have uncovered a new wave of supply chain attacks linked to North Korean hackers, specifically targeting software developers through npm. This operation is part of the ongoing โContagious Interviewโ campaign, which has been active since 2023 and continues to evolve.
35 Malicious npm Packages Identified
Uploaded by 24 fake npm accounts with over 4,000 total downloads.
Target:
Software developers, especially those actively job-hunting.
Method:
Fake recruiters send job-related coding tasks that trick developers into installing malware through npm packages hosted on GitHub or Bitbucket.
Current Active Packages:
react-plaid-sdk
sumsub-node-websdk
vite-plugin-next-refresh
vite-loader-svg
node-orm-mongoose
router-parse
HexEval Loader (Hex-encoded)
โ Collects host information.
BeaverTail JavaScript Stealer
โ Steals sensitive files and credentials.
InvisibleFerret Python Backdoor
โ Gives attackers remote access to infected systems.
Keylogger Module:
Some npm packages even included a cross-platform keylogger to capture keystrokes.
Social Engineering via LinkedIn:
Threat actors pose as recruiters to lure developers.
Fake Job Interviews:
Victims are sent malicious projects disguised as coding assignments.
ClickFix & ClickFake Interview Tactics:
Recent campaigns are using ClickFix social engineering to deliver additional malware like GolangGhost and PylangGhost.
(Some still active on npm)
react-plaid-sdk
sumsub-node-websdk
vite-plugin-next-refresh
vite-plugin-purify
nextjs-insight
vite-plugin-svgn
node-loggers
react-logs
reactbootstraps
framer-motion-ext
serverlog-dispatch
mongo-errorlog
next-log-patcher
vite-plugin-tools
pixel-percent
test-topdev-logger-v1
test-topdev-logger-v3
server-log-engine
logbin-nodejs
vite-loader-svg
struct-logger
flexible-loggers
beautiful-plugins
chalk-config
jsonpacks
jsonspecific
jsonsecs
util-buffers
blur-plugins
proc-watch
node-orm-mongoose
prior-config
use-videos
lucide-node
router-parse
The group is associated with several identifiers:
Contagious Interview
CL-STA-0240
DeceptiveDevelopment
Famous Chollima
Tenacious Pungsan
Void Dokkaebi
This North Korea-linked campaign focuses on cryptocurrency theft, espionage, and software supply chain attacks.
North Korean attackers are now focusing on developers via supply chain attacks.
They use fake interviews, social engineering, and malicious npm packages to infect systems.
Developers should avoid running untrusted code outside containerized environments.
For more cybersecurity news, hacking updates, and IT learning resources, follow CCIE Academy:
Website: www.ccieacademy.org
Blogs: https://ccieacademy.org/blogs/
Facebook: facebook.com/CCIENCA
