The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT) loader.
“These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors’ obfuscation techniques,” Socket security researcher Kirill Boychenko said in a report.
The packages in question, which were collectively downloaded more than 5,600 times prior to their removal, are listed below –
- empty-array-validator
- twitterapis
- dev-debugger-vite
- snore-log
- core-pino
- events-utils
- icloud-cod
- cln-logger
- node-clog
- consolidate-log
- consolidate-logger
The disclosure comes nearly a month after a set of six npm packages were discovered distributing BeaverTail, a JavaScript stealer that’s also capable of delivering a Python-based backdoor dubbed InvisibleFerret.
The end goal of the campaign is to infiltrate developer systems under the guise of a job interview process, steal sensitive data, siphon financial assets, and maintain long-term access to compromised systems.
The newly identified npm libraries masquerade as utilities and debuggers, with one of them – dev-debugger-vite – using a command-and-control (C2) address previously flagged by SecurityScorecard as used by the Lazarus Group in a campaign codenamed Phantom Circuit in December 2024.
What makes these packages stand out is some of them, such as events-utils and icloud-cod, are linked to Bitbucket repositories, as opposed to GitHub. Furthermore, the icloud-cod package has been found to be hosted within a directory named “eiwork_hire,” reiterating the threat actor’s use of interview-related themes to activate the infection.
An analysis of the packages, cln-logger, node-clog, consolidate-log, and consolidate-logger, has also uncovered minor code-level variations, indicating that the attackers are publishing multiple malware variants in an attempt to increase the success rate of the campaign.
Regardless of the changes, the malicious code embedded within the four packages functions as a remote access trojan (RAT) loader that’s capable of propagating a next-stage payload from a remote server.
“The Contagious Interview threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down,” Boychenko said.
“The advanced persistent threat (APT) group is diversifying its tactics — publishing new malware under fresh aliases, hosting payloads in both GitHub and Bitbucket repositories, and reusing core components like BeaverTail and InvisibleFerret alongside newly observed RAT/loader variant.”
BeaverTail Drops Tropidoor
The discovery of the new npm packages comes as South Korean cybersecurity company AhnLab detailed a recruitment-themed phishing campaign that delivers BeaverTail, which is then used to deploy a previously undocumented Windows backdoor codenamed Tropidoor. Artifacts analyzed by the firm show that BeaverTail is being used to actively target developers in South Korea.
The email message, which claimed to be from a company called AutoSquare, contained a link to a project hosted on Bitbucket, urging the recipient to clone the project locally on their machine to review their understanding of the program.
The application is nothing but an npm library that contains BeaverTail (“tailwind.config.js”) and a DLL downloader malware (“car.dll”), the latter of which is launched by the JavaScript stealer and loader.
Tropidoor is a backdoor “operating in memory through the downloader” that’s capable of contacting a C2 server to receive instructions that make it possible to exfiltrate files, gather drive and file information, run and terminate processes, capture screenshots, and delete or wipe files by overwriting them with NULL or junk data.
An important aspect of the implant is that it directly implements Windows commands such as schtasks, ping, and reg, a feature previously also observed in another Lazarus Group malware called LightlessCan, itself a successor of BLINDINGCAN (aka AIRDRY aka ZetaNile).
“Users should be cautious not only with email attachments but also with executable files from unknown sources,” AhnLab said.
