TL;DR
- North Korean hackers used npm to distribute more than 300 malicious packages that stole credentials and wallet keys.
- The attackers used names similar to popular libraries and fake recruiter profiles on LinkedIn to infiltrate code into automated dependency chains.
- Socket reports around 50,000 downloads before the packages were removed.
Researchers at Socket identified a campaign by state-backed North Korean hackers who exploited the npm registry to distribute malware targeting developers in the crypto and blockchain industries.
According to the report, more than 300 malicious packages were uploaded under the name āContagious Interviewā and adopted names resembling well-known libraries to avoid suspicion.
The packages appeared as harmless modules, but once installed, they executed scripts that stole credentials, extracted browser data, and recovered cryptocurrency wallet keys.
How North Korean Hackers Operated
The North Korean hackers used encrypted loaders that decrypted malicious payloads directly in memory, reducing disk traces and complicating forensic investigations. Socket estimated around 50,000 downloads before many packages were removed; however, some remain accessible.
To lure victims, the attackers used fake LinkedIn recruiter profiles and sent job offers that acted as bait. They also used misspelled names of libraries such as express, dotenv, and hardhat, allowing the packages to enter automated dependency chains without manual review.
The incident highlights the vulnerability of the software supply chain: by compromising a central repository, attackers were able to propagate malicious code to numerous dependent applications and production environments without targeting each system individually. The techniques and patterns observed by researchers match malware families previously linked to North Korea, such as BeaverTail and InvisibleFerret, providing evidence that supports this attribution.
GitHubās Response
GitHub, owner of npm, stated that it removes malicious packages when detected and is strengthening account verification to reduce malicious activity. Even so, experts consider the response insufficient while rapid installation practices and unvetted dependencies persist. They recommend treating every ānpm installā command as potential code execution, auditing dependencies before merging them into repositories, and deploying automated scanning and verification tools.
The open-source ecosystem is crucial for fostering innovation, but it also presents an attack vector when sophisticated actors choose to weaponize repositories. Companies and development teams must reinforce controls, protect credentials, and implement procedures that minimize exposure.
