In a concerning escalation of supply chain attacks, North Korean state-sponsored hackers—linked to the ongoing "Contagious Interview" campaign—have been caught distributing the BeaverTail malware through 11 newly discovered malicious npm packages, according to cybersecurity research by Socket.
These packages were downloaded over 5,600 times before being taken down, posing a serious risk to developers and organizations relying on open-source JavaScript components.
🚨 New Wave of Malicious npm Packages Identified
Security researcher Kirill Boychenko reports that the latest attack wave demonstrates more sophisticated evasion techniques. The malware uses hexadecimal string encoding to bypass automated scans and manual code reviews—highlighting the threat actors’ evolving obfuscation methods.
📦 List of Compromised npm Packages:
empty-array-validatortwitterapisdev-debugger-vitesnore-logcore-pinoevents-utilsicloud-codcln-loggernode-clogconsolidate-logconsolidate-logger
🕵️♂️ Malware Capabilities: BeaverTail and New RAT Loader
These packages not only deliver BeaverTail, a JavaScript-based infostealer, but also serve as a dropper for InvisibleFerret, a Python backdoor. Some packages now include a new remote access trojan (RAT) loader, expanding the scope of the operation.
The goal of the campaign is to:
Infiltrate developer systems under the guise of fake job interviews
Steal sensitive credentials and intellectual property
Gain persistent access to compromised environments
Conduct financial fraud and long-term espionage
🧪 Deceptive Package Behavior and Hosting Techniques
Many of these malicious npm packages are disguised as developer tools or logging utilities. For instance, dev-debugger-vite communicates with a command-and-control (C2) server previously tied to Lazarus Group’s "Phantom Circuit" campaign in December 2024.
Key Findings:
Some packages, such as
icloud-cod, are hosted on Bitbucket instead of GitHub.The
icloud-codpackage references a folder calledeiwork_hire, reinforcing the job interview-themed lure.Code variations between packages like
cln-logger,node-clog, and others indicate multiple malware variants intended to boost infection rates.
💣 New Malware Variant: Tropidoor
The campaign also overlaps with a fresh phishing effort discovered by South Korean cybersecurity firm AhnLab, where hackers impersonate companies like AutoSquare to trick developers into cloning infected Bitbucket repositories.
These repositories include:
tailwind.config.js(BeaverTail malware)car.dll(a new downloader component)
This combination launches Tropidoor, a previously unknown Windows backdoor that:
Operates entirely in-memory
Connects to a remote server for commands
Can exfiltrate files, run processes, capture screenshots, and delete data
Executes built-in Windows commands like
schtasks,ping, andreg—a behavior linked to earlier Lazarus Group tools such as LightlessCan and BLINDINGCAN
🛡️ How to Stay Protected
Experts urge developers and security teams to:
Avoid installing npm packages from unverified sources
Be suspicious of job-related projects hosted outside trusted platforms
Monitor systems for C2 communications and obfuscated JavaScript payloads
Regularly audit third-party dependencies using automated tools
🔍 Conclusion
This latest discovery underlines the critical need for supply chain security in software development. As North Korean hackers innovate their attack vectors with tools like BeaverTail, InvisibleFerret, and now Tropidoor, it’s essential to implement proactive threat monitoring and enforce strict package vetting practices.