Cybersecurity researchers report a recent supply chain attack tied to North Korean threat actors, involving 35 harmful npm packages linked to 24 accounts, which have been downloaded over 4,000 times. Notably, six packages remain available for download despite their threat potential. Each package includes a hex-encoded loader named HexEval, which is crafted to gather host information and deliver malicious follow-on payloads, including a known JavaScript stealer called BeaverTail. This operation exemplifies advanced evasion strategies against typical security measures and highlights the risks of supply chain vulnerabilities.
"This nesting-doll structure helps the campaign evade basic static scanners and manual reviews," Socket researcher Kirill Boychenko said.
"Each of the identified npm packages contains a hex-encoded loader dubbed HexEval, which is designed to collect host information post installation and selectively deliver a follow-on payload."
"BeaverTail, in turn, is configured to download and execute a Python backdoor called InvisibleFerret, enabling the threat actors to collect sensitive data and establish remote control of infected hosts."
"One npm alias also shipped a cross-platform keylogger package that captures every keystroke, showing the threat actors' readiness to tailor payloads for deeper surveillance."
Collection
[
|
...
]