TZUTC: -0500   
   MSGID: 1234.consprcy@1:2320/105 2cdcfda7   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   North Korean hackers release malware-ridden packages into npm registry   
      
   Date:   
   Tue, 15 Jul 2025 15:58:00 +0000   
      
   Description:   
   A second wave of tainted packages was spotted on npm, likely part of a larger   
   campaign.   
      
   FULL STORY   
      
   North Korean hackers have been seen pushing dozens of malicious packages to   
   npm in an attempt to compromise western technology products through supply   
   chain attacks.    
      
   Cybersecurity researchers Socket claim the latest push of 67 malicious   
   packages is just the second leg of a previous attack, in which 35 packages   
   were published, as part of a campaign called Contagious Interview.    
      
   "The Contagious Interview operation continues to follow a whack-a-mole   
   dynamic, where defenders detect and report malicious packages, and North   
   Korean threat actors quickly respond by uploading new variants using the    
   same, similar, or slightly evolved playbooks," Socket researcher Kirill   
   Boychenko said.   
      
   Thousands of victims    
      
   Uploading malicious code to npm is just a setup. The real attack most likely   
   happens elsewhere - on LinkedIn, Telegram, or Discord. North Korean attackers   
   would pose as recruiters, or HR managers in large, reputable tech companies,   
   and would reach out to software developers offering work.    
      
   The interview process includes multiple rounds of talks and concludes with a   
   test assignment. That test assignment requires the job seeker to download and   
   run an npm package, which is where the person ends up with a compromised   
   device. Obviously, that doesnt mean that other people couldnt accidentally   
   download tainted packages, as well.    
      
   Cumulatively, the packages attracted more than 17,000 downloads, which is   
   quite the attack surface.    
      
   North Koreans are infamous for their fake job and fake employee scams, whose   
   goals usually vary between cyber-espionage and financial theft. If theyre not   
   stealing intellectual property or proprietary data, then theyre stealing   
   cryptocurrencies which the government uses to fund the state apparatus and    
   its nuclear weapons program.    
      
   The campaigns deploy all sorts of malware , from the BeaverTail infostealer,   
   across XORIndex Loader, HexEval, and many others.    
      
   "Contagious Interview threat actors will continue to diversify their malware   
   portfolio, rotating through new npm maintainer aliases, reusing loaders such   
   as HexEval Loader and malware families like BeaverTail and InvisibleFerret,   
   and actively deploying newly observed variants including XORIndex Loader,"    
   the researchers concluded.    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/north-korean-hackers-release-malware-ri   
   dden-packages-into-npm-registry   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426