Malicious npm Packages with Malware Threaten Developers

In September 2024, three npm packages were found to be infected with BeaverTail, a type of JavaScript-based malware designed to steal information. These packages, uploaded to the npm registry, are suspected to be part of a larger North Korean-led campaign known as Contagious Interview.

The campaign has been actively tracked and analyzed by a research team, which has codenamed it Tenacious Pungsan. This attack pattern is also associated with other identifiers, such as CL-STA-0240 and Famous Chollima.

The infected packages, which were quickly removed from the registry, included names mimicking popular tools in the developer community:
– passports-js: A backdoored variant of the passport library (118 downloads)
– bcrypts-js: A compromised version of bcryptjs (81 downloads)
– blockscan-api: A fake copy of etherscan-api (124 downloads)

Contagious Interview is a sustained campaign that began in 2023, targeting developers by disguising malicious packages or applications as coding tests or job-related materials. Through this approach, unsuspecting developers have been tricked into downloading malware-laden tools, creating a significant threat for both individual and organizational security.

In August 2024, similar malicious packages were found on npm, with some even attempting to install a Python-based backdoor called InvisibleFerret.

These recurring attacks reveal that the threat actors have a keen interest in the cryptocurrency space, as evidenced by their continued impersonation of the etherscan-api package.

Most recently, a security report noted that two additional fake npm packages — eslint-module-conf and eslint-scope-util — have been created to harvest cryptocurrency and maintain unauthorized access to developers’ systems.

Researchers stress that such campaigns are effective largely because they exploit the urgency and trust developers place in open-source libraries and resources during job applications or project development. As a result, the open-source software supply chain has become a favored route for distributing malware to downstream targets.

One researcher commented, “Backdooring npm packages has become a recurring strategy for these attackers. Campaigns like Contagious Interview serve as reminders that individual developers remain high-value targets for threat groups associated with the Democratic People’s Republic of Korea.”

To mitigate the risk of such attacks, developers should rigorously verify npm packages before installation, preferably by checking official repositories or package maintainers.

Regular audits and updates of dependencies, combined with the use of automated vulnerability scanning tools, can also help identify potentially harmful packages early.