EXECUTIVE SUMMARY:
North Korea's "Contagious Interview" campaign has intensified, with over 338 malicious npm packages accumulating more than 50,000 downloads. This operation, attributed to North Korean state-sponsored actors, employs a consistent adversarial playbook targeting developers in the Web3, cryptocurrency, and blockchain sectors. The threat actors utilize over 180 fake personas and more than a dozen command and control (C2) endpoints to distribute malware via typosquatted packages and obfuscated loaders. The malware variants include BeaverTail, HexEval, XORIndex, and InvisibleFerret, each designed to execute at install or import, reconstruct obfuscated code in memory, and establish persistence through backdoors. This wave-based and iterative approach demonstrates the actors' adaptability and persistence in compromising the software supply chain.
The Contagious Interview campaign employs a sophisticated multi-stage malware delivery mechanism. Initially, developers are lured by fake job offers, leading them to download malicious npm packages. Upon installation, these packages execute obfuscated code that reconstructs the BeaverTail malware in memory. Subsequently, the malware fetches the InvisibleFerret backdoor, ensuring persistence and enabling remote access. The malware's design includes encrypted loaders and the use of steganography, such as embedding malicious payloads within QR codes, to evade detection. The actors' use of typosquatting and rapid iteration of package aliases complicates detection and mitigation efforts. Additionally, the deployment of multiple C2 endpoints and the rotation of npm aliases enhance the resilience and scalability of the campaign.
The escalating Contagious Interview campaign underscores the evolving threat landscape of software supply chain attacks. By targeting developers with job-related lures and leveraging sophisticated malware delivery techniques, North Korean threat actors have demonstrated a high level of operational maturity. The persistent nature of the campaign, with new malicious packages emerging weekly, highlights the need for continuous vigilance and proactive defense mechanisms. Developers are advised to employ tools like Socket Firewall to block malicious packages at install time and to remain cautious of unsolicited job offers. The ongoing threat necessitates a collaborative effort between developers, security researchers, and platform providers to safeguard the integrity of the software supply chain.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Resources Development | T1608.001 | Stage Capabilities | Upload Malware |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.007 | Command and Scripting Interpreter | JavaScript | |
| Persistence | T1546.016 | Event Triggered Execution | Installer Packages |
| Defence Evasion | T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1555.001 | Credentials from Password Stores | Keychain | |
| Discovery | T1082 | System Information Discovery | — |
| T1083 | File and Directory Discovery | — | |
| T1217 | Browser Information Discovery | — | |
| Collection | T1005 | Data from Local System | — |
| T1119 | Automated Collection | — | |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1657 | Financial Theft | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Lateral Movement | E1195 | Supply Chain Compromise |
| Execution | B0011 | Remote Commands |
| Execution | B0025 | Conditional Execution |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Discovery | E1082 | System Information Discovery |
| Communication Micro-objective | C0002 | HTTP Communication |
REFERENCES:
The following reports contain further technical details: