North Korean threat actors linked to the Contagious Interview campaign have published another 67 malicious packages to the npm registry, accumulating over 17,000 downloads. These packages include a new malware loader named XORIndex, expanding a recent attack wave involving 35 different malicious packages deploying a loader called HexEval. The campaign attempts to trick developers into downloading software under the guise of coding assignments. It targets employed developers in companies of interest, and the malicious packages serve as a conduit for a JavaScript loader named BeaverTail, which extracts data and deploys InvisibleFerret, a Python backdoor.
The packages have attracted more than 17,000 downloads, incorporating a previously undocumented malware loader codenamed XORIndex. This activity expands an attack wave that involved 35 npm packages deploying HexEval.
The Contagious Interview operation continues to follow a whack-a-mole dynamic where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants.
Contagious Interview seeks to entice developers into downloading and executing an open-source project as part of a purported coding assignment, targeting developers already employed in companies of interest.
The attack chains using malicious npm packages serve as a conduit for a known JavaScript loader and stealer called BeaverTail, which extracts data and deploys a Python backdoor referred to as InvisibleFerret.
Collection
[
|
...
]