Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
When a regular JavaScript loader turns into a spying tool.
The three malicious packages published in the npm repository in September 2024 contained the well-known BeaverTail malware, a JavaScript downloader and data-stealing tool associated with a North Korean campaign called "Contagious Interview."
The Datadog Security Research team is tracking this activity of the attackers codenamed "Tenacious Pungsan", also known as CL-STA-0240 and Famous Chollima. Packages that distributed malware have already been removed from the npm repository. Among them were:
The "Contagious Interview" is a months-long campaign in which attackers trick developers into uploading malicious files or using fake video conferencing applications under the guise of test tasks. The campaign was first identified in November 2023.
Similar attacks via npm packets have already been observed before. In August 2024, Phylum discovered other infected packages, including temp-etherscan-api and telegram-con, which were used to install BeaverTail and a Python backdoor called InvisibleFerret. Ongoing attempts to mimic the etherscan-api package indicate the criminals' continued interest in the cryptocurrency sector.
In addition, in September 2024, Stacklok announced the detection of new malicious packages — eslint-module-conf and eslint-scope-util, aimed at collecting cryptocurrencies and providing constant access to developers' machines. According to Unit 42 (Palo Alto Networks), attackers actively use the trust of job seekers to distribute malware through vacancies and test tasks.
Experts emphasize the growing risk associated with open repositories. Modifying legitimate npm packages to inject malicious code is becoming a common tactic, and developers continue to be a key target of North Korean hackers.
Source
The three malicious packages published in the npm repository in September 2024 contained the well-known BeaverTail malware, a JavaScript downloader and data-stealing tool associated with a North Korean campaign called "Contagious Interview."
The Datadog Security Research team is tracking this activity of the attackers codenamed "Tenacious Pungsan", also known as CL-STA-0240 and Famous Chollima. Packages that distributed malware have already been removed from the npm repository. Among them were:
- passports-js (a malicious copy of the "passport" library, 118 downloads);
- bcrypts-js (malicious copy of "bcryptjs", 81 downloads);
- blockscan-api (malicious copy of "etherscan-api", 124 downloads).
The "Contagious Interview" is a months-long campaign in which attackers trick developers into uploading malicious files or using fake video conferencing applications under the guise of test tasks. The campaign was first identified in November 2023.
Similar attacks via npm packets have already been observed before. In August 2024, Phylum discovered other infected packages, including temp-etherscan-api and telegram-con, which were used to install BeaverTail and a Python backdoor called InvisibleFerret. Ongoing attempts to mimic the etherscan-api package indicate the criminals' continued interest in the cryptocurrency sector.
In addition, in September 2024, Stacklok announced the detection of new malicious packages — eslint-module-conf and eslint-scope-util, aimed at collecting cryptocurrencies and providing constant access to developers' machines. According to Unit 42 (Palo Alto Networks), attackers actively use the trust of job seekers to distribute malware through vacancies and test tasks.
Experts emphasize the growing risk associated with open repositories. Modifying legitimate npm packages to inject malicious code is becoming a common tactic, and developers continue to be a key target of North Korean hackers.
Source
