- Security researchers discovered 67 malicious packages on NPM
- The packages are part of the contagious interview campaign
- They are probably deployed by North Korean attackers
North Korean hackers have been seen pushing dozens of malicious packages to NPM in an attempt to compromise Western technology products through supply chain attacks.
CyberSecurity Researchers Socket claims that the latest push of 67 malicious packages is only the second stage of a previous attack in which 35 packages were published, as part of a campaign called SMITious interview.
“The infectious interview operation continues to follow a whack-a-mole dynamics where defenders detect and report malicious packages, and North Korean threat actors respond quickly by uploading new variants using the same, similar or slightly developed Playbooks,” said socket researcher Kirill Boychenko.
Thousands of victims
Uploading malicious code for NPM is just a setup. The real attack probably happens elsewhere – on LinkedIn, Telegram or Discord. North Korean attackers would constitute recruiters or HR leaders in large, reputable tech companies and would reach out to software developers offering work.
The interview process includes several rounds of lectures and ends with a test assignment. This test assignment requires the job search to download and run an NPM package where the person ends up with a compromised device. Of course, this does not mean that other people could not accidentally download smart packages.
Cumulatively attracted the packages more than 17,000 downloads, which is quite the attack surface.
North Koreans are notorious for their false jobs and false staff fraud whose goals usually vary between cyber-espionage and financial theft. If they do not steal intellectual property or proprietary data, they steal the cryptocurrencies used by the government to finance the state apparatus and its nuclear weapons program.
The campaigns implement all kinds of Malware from Beavertail InfoTeals, across Xorindex Loader, Hexeval and many others.
“Infectious interview -threat players will continue to diversify their malware portfolio, rotate through new NPM maintenance aliases, reuse loaders such as hexeval loader and malware families such as Beavertail and Invisible Ferret and actively implementing newly observed variants, including Xorindex Loader,” the researchers concluded.
Via Hacker the news
