North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
Summary:
North Korean threat actors behind the ongoing "Contagious Interview" operation have significantly expanded their malicious activities within the npm ecosystem, according to Socket researcher Kirill Boychenko. They have deployed at least 11 new malicious packages, downloaded over 5,600 times, which deliver the BeaverTail infostealer and introduce a new remote access trojan (RAT). These actors are utilizing hexadecimal string encoding as a new obfuscation technique to evade detection. Their objectives remain consistent: compromising developer systems to steal sensitive data, siphon assets, and maintain persistent access. The threat group continues to create new npm accounts and leverage platforms like npm, GitHub, and Bitbucket to distribute their malicious code, demonstrating a versatile threat. While npm has suspended most identified accounts, some remain active, and associated GitHub and Bitbucket repositories are also being targeted for removal. Infrastructure analysis and structural hallmarks reveal connections to the Lazarus Group, and the tactics employed include creating seemingly legitimate and actively maintained repositories prior to publishing malicious packages. The actors are deploying BeaverTail, InvisibleFerret, and a new RAT. One of the malicious packages linked to a Bitbucket repository hosted within a directory called “eiwork_hire”, which could be reused in an effort to legitimize the threat actors’ Contagious Interview operations. Boychenko states that the exact nature of the malware being propagated via the loader remains unknown at this stage, owing to the fact that the C2 endpoints were no longer serving any payloads.
Security Officer Comments:
The continued expansion of the North Korean "Contagious Interview" operation within the npm ecosystem presents a significant challenge to the software development community. The introduction of new RAT loader functionality alongside the persistent use of the BeaverTail infostealer and InvisibleFerret indicates a broadening attack capability. This disclosure follows a similar campaign distributing BeaverTail via npm packages about a month ago. The adoption of hexadecimal string encoding highlights the threat actors' adaptive nature and their focus on evading traditional detection mechanisms, demanding more sophisticated analysis techniques. The observed connections to the Lazarus Group, like the use of a C2 previously flagged in a Lazarus campaign called Phantom Circuit and their exploitation of multiple developer platforms, further underscore the potential sophistication and resources behind this campaign. The deployment of multiple malware variants within the same campaign suggests a calculated effort to increase success and complicate detection efforts. It is crucial for developers and security teams to remain vigilant, scrutinize packages thoroughly, and implement robust security measures to mitigate the risks posed by these persistent and resourceful DPRK threat actors.
Suggested Corrections:
IOCs:
https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
Socket Recommendations:
Proactive defense must become foundational to software development practices. To mitigate these risks, we recommend embedding multiple layers of supply chain security throughout the development lifecycle. This includes automated dependency audits, contextual scanning of third-party packages, and close scrutiny of packages with limited download history or unverifiable maintainers. Monitoring for unusual dependency changes and blocking outbound traffic to known or suspicious C2 endpoints can help contain threats before they escalate.
Link(s):
https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html
https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
North Korean threat actors behind the ongoing "Contagious Interview" operation have significantly expanded their malicious activities within the npm ecosystem, according to Socket researcher Kirill Boychenko. They have deployed at least 11 new malicious packages, downloaded over 5,600 times, which deliver the BeaverTail infostealer and introduce a new remote access trojan (RAT). These actors are utilizing hexadecimal string encoding as a new obfuscation technique to evade detection. Their objectives remain consistent: compromising developer systems to steal sensitive data, siphon assets, and maintain persistent access. The threat group continues to create new npm accounts and leverage platforms like npm, GitHub, and Bitbucket to distribute their malicious code, demonstrating a versatile threat. While npm has suspended most identified accounts, some remain active, and associated GitHub and Bitbucket repositories are also being targeted for removal. Infrastructure analysis and structural hallmarks reveal connections to the Lazarus Group, and the tactics employed include creating seemingly legitimate and actively maintained repositories prior to publishing malicious packages. The actors are deploying BeaverTail, InvisibleFerret, and a new RAT. One of the malicious packages linked to a Bitbucket repository hosted within a directory called “eiwork_hire”, which could be reused in an effort to legitimize the threat actors’ Contagious Interview operations. Boychenko states that the exact nature of the malware being propagated via the loader remains unknown at this stage, owing to the fact that the C2 endpoints were no longer serving any payloads.
Security Officer Comments:
The continued expansion of the North Korean "Contagious Interview" operation within the npm ecosystem presents a significant challenge to the software development community. The introduction of new RAT loader functionality alongside the persistent use of the BeaverTail infostealer and InvisibleFerret indicates a broadening attack capability. This disclosure follows a similar campaign distributing BeaverTail via npm packages about a month ago. The adoption of hexadecimal string encoding highlights the threat actors' adaptive nature and their focus on evading traditional detection mechanisms, demanding more sophisticated analysis techniques. The observed connections to the Lazarus Group, like the use of a C2 previously flagged in a Lazarus campaign called Phantom Circuit and their exploitation of multiple developer platforms, further underscore the potential sophistication and resources behind this campaign. The deployment of multiple malware variants within the same campaign suggests a calculated effort to increase success and complicate detection efforts. It is crucial for developers and security teams to remain vigilant, scrutinize packages thoroughly, and implement robust security measures to mitigate the risks posed by these persistent and resourceful DPRK threat actors.
Suggested Corrections:
IOCs:
https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
Socket Recommendations:
Proactive defense must become foundational to software development practices. To mitigate these risks, we recommend embedding multiple layers of supply chain security throughout the development lifecycle. This includes automated dependency audits, contextual scanning of third-party packages, and close scrutiny of packages with limited download history or unverifiable maintainers. Monitoring for unusual dependency changes and blocking outbound traffic to known or suspicious C2 endpoints can help contain threats before they escalate.
Link(s):
https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html
https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket