North Korean hackers are using malicious npm packages to target developers

Multiple malicious packages spotted on the repository

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

North Korean state-sponsored threat actors were observed pushing malicious packages into the npm registry, in an attempt to infiltrate endpoints belonging to software developers.

This time around, they were spotted by cybersecurity researchers from Phylum, who argue the end goal of the campaign is to steal people’s cryptocurrencies.

According to the researchers, the attack started on August 12 this year. Multiple malicious npm packages were uploaded, including temp-etherscan-api, and two versions of ethersscan-api. More than a week later, the crooks uploaded telegram-con, and another version of ethersscan-api, and some time later, qq-console. Chances are, there are even more packages out there.

InvisibleFerret and Lazarus

All these npm packages are just a cog in a wider wheel of a malicious campaign the researchers dubbed “Contagious Interview”. The crooks would ‘impersonate’ a major software development company (be it in web2 or web3), and pretend to offer a great new job opportunity to the victims. Sometimes, they would reach out via LinkedIn, and sometimes, via instant messaging platforms such asTelegram.

The victims, usually software developers already working on blockchain-based solutions, would be offered a great job with a significant salary increase, and would be invited for a series of interviews. In one of those interviews, they would either be asked to download and open a .PDF file or, in this case, an npm package.

These packages deploy a piece of Pythonmalwarecalled InvisibleFerret, capable of exfiltrating sensitive data from cryptocurrency walletbrowserextensions.

Although the researchers never mention them by name, this is a method usually deployed by the North Korean state-sponsored group known as Lazarus.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Lazarus is one of the largest, most disruptive hacking collectives to come out of North Korea. It’s been attributed with some of the largest cryptocurrency heists in history, including the theft of more than $600 million. Allegedly, the country is using the money to fund its state apparatus, as well as its weapons program.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time