Malicious npm Packages Target Software Developers in Job Interview Scam

A sophisticated social engineering campaign, known as DEV#POPPER, is actively targeting software developers by offering fake job interviews and tricking them into downloading malicious npm packages containing Python backdoors.

Security researchers have attributed this campaign to North Korean threat actors, who use the guise of job interviews to deceive developers. During these fraudulent interviews, developers are instructed to download and run software from seemingly legitimate sources, such as GitHub. However, the software actually contains a malicious Node JS payload that compromises the developer’s system upon execution.

The campaign came to light in late November 2023, when researcher reported on a similar activity cluster called Contagious Interview. This cluster involves threat actors posing as employers to lure developers into installing malware like BeaverTail and InvisibleFerret under the pretext of job interviews.

The researcher also discovered malicious npm packages on the registry that delivered the same malware families, aiming to steal sensitive information from compromised systems.

It’s important to differentiate Contagious Interview from Operation Dream Job (also known as DeathNote or NukeSped). Contagious Interview focuses on targeting developers through fake identities on freelance job portals, using developer tools and npm packages to distribute malware like BeaverTail and InvisibleFerret.

On the other hand, Operation Dream Job, associated with the Lazarus Group from North Korea, targets professionals in various sectors by sending malicious files disguised as job offers to distribute malware.

The analysis reveals that the attack chain starts with a ZIP archive hosted on GitHub, which is likely sent to the target as part of the interview process. The archive contains a seemingly harmless npm module that actually harbors a malicious JavaScript file (BeaverTail) acting as an information stealer and a loader for a Python backdoor (InvisibleFerret) retrieved from a remote server.

In addition to gathering system information, the implant can execute commands, enumerate and exfiltrate files, and log clipboard and keystrokes.

This campaign highlights the ongoing efforts of North Korean threat actors to refine their cyber attack capabilities. They continuously update their techniques to evade detection and blend in with host systems and networks, aiming to profit from data theft and other malicious activities.

The researchers emphasize the importance of maintaining a security-focused mindset, especially during high-pressure situations like job interviews, to prevent falling victim to social engineering attacks.

To prevent falling victim to such scams, developers should exercise caution when downloading packages, verify the legitimacy of job interview offers, and use security tools to scan for malware in npm packages. Additionally, developers should be wary of downloading software from untrusted sources and always keep their systems and software up to date.