In recent months, there has been a Significant increase in malware distribution through the npm repository, the most widely used package manager in the Node.js ecosystem. Various teams of cybersecurity experts have detected that actors linked to North Korea are behind a wave of 67 malicious packets, downloaded more than 17.000 times before being identified and removed, as part of the campaign known as "Contagious Interview."
The attackers' strategy is to infiltrate open development environments by leveraging the popularity of npm, impersonating legitimate projects and applying subtle changes to avoid detection. Developers and organizations that rely on these packages to automate and accelerate their workflows can be inadvertently compromised.
"Contagious Interview" Campaign: The Persistent Threat on npm
This operation, dubbed "Contagious Interview", it is not a one-off incident, but rather a scheme sustained over time by North Korean state groups. One of the tactics detected involves fake job offers primarily aimed at software development professionals. The "selection" process includes supposedly technical tests for candidates, which actually involve installing one of the compromised npm packages, thus allowing the malware to run on their devices.
The ultimate goal of these attacks is steal sensitive data, such as credentials, cryptocurrency files, or information about business systems, and maintain persistent access to compromised computers.
Compromised packages and deception techniques
Amongst the 67 packages identified There are names that mimic well-known tools and libraries in the JavaScript ecosystem, such as "vite-meta-plugin," "vite-postcss-tools," and "js-prettier." Often, the difference is a slight variation or typo from the actual name, making it difficult for users to detect the scam. These types of techniques have also been used in other malware campaigns in AUR.
When you install one of these packages, a program is run. post-installation script This launches the "XORIndex Loader," a malicious component specifically designed to evade traditional detection systems. This loader collects information from the device, sends it to servers controlled by the attackers (using legitimate infrastructure such as Vercel), and receives instructions to download and execute new malicious modules, such as "BeaverTail" and "InvisibleFerret."
This ability to modular upgrade allows malware to evolve and adapt to cleanup attempts, creating a “whack-a-mole” dynamic where attackers upload new variants as researchers detect and eliminate older ones.
Technical operation: obfuscation and persistence
The «XORIndex Loader» stands out for its use of techniques advanced obfuscation, such as XOR-encoding text strings and rotating multiple command and control endpoints. After collecting data as diverse as the username, hostname, operating system type, IP address, and device geolocation, the loader executes JavaScript scripts received from the attackers' servers using "eval()" functions, allowing it to download and activate additional payloads without user interaction. Malware detection in official repositories has also increased in recent months..
The second scenario is starring "BeaverTail", a specialist in extract sensitive information from cryptocurrency wallets and directories of widely used browser extensions. The stolen files are compressed and sent to IP addresses controlled by the criminals. The "InvisibleFerret" backdoor is then activated to maintain long-term control over the system.
Experts have found that these mechanisms They affect Windows, macOS, and Linux users equally., which expands the potential scope of the attack.
Recommendations and defense measures
Companies that rely on the npm ecosystem and independent developers They should exercise extreme caution, especially when receiving unexpected job offers or unfamiliar packages. Researchers advise:
- Verify the authorship and reputation of packages before installing them.
- Analyze source code for obfuscation techniques or suspicious scripts.
- use tools real time analysis, such as browser extensions or integrations into version control platforms like GitHub, that alert you to potential dependency risks.
- Prioritize the use of projects maintained by active communities and with a transparent track record.
- Run new libraries in sandboxes before moving to production.
The "Contagious Interview" campaign and the emergence of loaders like XORIndex show The importance of strengthening security controls in the software supply chain and the need to be alert to any signs of suspicious activity in npm repositories. Collaboration between developers, platforms, and cybersecurity experts will be essential to prevent these threats, which, due to their scope and sophistication, represent a challenge for thousands of professionals and companies around the world.
