+92 310 8202561
ccienca@gmail.com
Facebook

0

North Korea Supply Chain Attack Targets Developers via 35 Malicious npm Packages

Posted by CCIE Academy | www.ccieacademy.org
Stay updated: https://ccieacademy.org/blogs/

Overview

The North Korea Supply Chain Attack is actively targeting developers using malicious npm packages in a coordinated supply chain operation. This North Korea attack focuses on spreading malware and stealing sensitive data through popular development tools, posing a serious threat to the software supply chain.

Cybersecurity researchers have uncovered a new wave of supply chain attacks linked to North Korean hackers, specifically targeting software developers through npm. This operation is part of the ongoing “Contagious Interview” campaign, which has been active since 2023 and continues to evolve.

Key Details of the Attack

  • 35 Malicious npm Packages Identified
    Uploaded by 24 fake npm accounts with over 4,000 total downloads.

  • Target:
    Software developers, especially those actively job-hunting.

  • Method:
    Fake recruiters send job-related coding tasks that trick developers into installing malware through npm packages hosted on GitHub or Bitbucket.

  • Current Active Packages:

    • react-plaid-sdk

    • sumsub-node-websdk

    • vite-plugin-next-refresh

    • vite-loader-svg

    • node-orm-mongoose

    • router-parse

Malware Details

The Infection Chain:

  1. HexEval Loader (Hex-encoded)
    ➜ Collects host information.

  2. BeaverTail JavaScript Stealer
    ➜ Steals sensitive files and credentials.

  3. InvisibleFerret Python Backdoor
    ➜ Gives attackers remote access to infected systems.

Keylogger Module:
Some npm packages even included a cross-platform keylogger to capture keystrokes.

Attack Strategy

  • Social Engineering via LinkedIn:
    Threat actors pose as recruiters to lure developers.

  • Fake Job Interviews:
    Victims are sent malicious projects disguised as coding assignments.

  • ClickFix & ClickFake Interview Tactics:
    Recent campaigns are using ClickFix social engineering to deliver additional malware like GolangGhost and PylangGhost.

Full List of Malicious npm Packages

(Some still active on npm)

  • react-plaid-sdk

  • sumsub-node-websdk

  • vite-plugin-next-refresh

  • vite-plugin-purify

  • nextjs-insight

  • vite-plugin-svgn

  • node-loggers

  • react-logs

  • reactbootstraps

  • framer-motion-ext

  • serverlog-dispatch

  • mongo-errorlog

  • next-log-patcher

  • vite-plugin-tools

  • pixel-percent

  • test-topdev-logger-v1

  • test-topdev-logger-v3

  • server-log-engine

  • logbin-nodejs

  • vite-loader-svg

  • struct-logger

  • flexible-loggers

  • beautiful-plugins

  • chalk-config

  • jsonpacks

  • jsonspecific

  • jsonsecs

  • util-buffers

  • blur-plugins

  • proc-watch

  • node-orm-mongoose

  • prior-config

  • use-videos

  • lucide-node

  • router-parse

Who is Behind the Attack?

The group is associated with several identifiers:

  • Contagious Interview

  • CL-STA-0240

  • DeceptiveDevelopment

  • Famous Chollima

  • Tenacious Pungsan

  • Void Dokkaebi

This North Korea-linked campaign focuses on cryptocurrency theft, espionage, and software supply chain attacks.

Key Takeaways

  • North Korean attackers are now focusing on developers via supply chain attacks.

  • They use fake interviews, social engineering, and malicious npm packages to infect systems.

  • Developers should avoid running untrusted code outside containerized environments.

Stay Updated

For more cybersecurity news, hacking updates, and IT learning resources, follow CCIE Academy:

🌐 Website: www.ccieacademy.org
📝 Blogs: https://ccieacademy.org/blogs/
👍 Facebook: facebook.com/CCIENCA