Summary: North Korean threat actors have been found distributing malicious npm packages as part of their ongoing Contagious Interview campaign, which aims to infiltrate developer systems under the pretense of job interviews. These packages contain malware, including BeaverTail and a new backdoor known as Tropidoor, utilizing various obfuscation techniques to evade detection. The campaign underscores the persistent threat posed by these actors, who are diversifying their methods and continuously updating their malware variants.
Affected: npm ecosystem, developers, organizations using affected packages
Keypoints :
- Newly discovered npm packages are spreading BeaverTail malware and a remote access trojan (RAT) loader.
- The packages evaded detection through hexadecimal string encoding and were downloaded over 5,600 times before removal.
- The campaign targets developers in South Korea using recruitment-themed phishing emails linked to malicious repositories.
- Tropidoor, a new backdoor, facilitates extensive control over infected systems, including file exfiltration and process management.
- Attackers are leveraging different hosting platforms like GitHub and Bitbucket to deploy their malicious code.
Source: https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html