North Korean threat actors planted 67 malicious packages in the Node Package Manager (npm) online repository to deliver a new malware loader called XORIndex to developer systems.
The packages collectively count more than 17,000 downloads and were discovered by researchers at package security platform Socket, who assess them to be part of the continued Contagious Interview operation.
Socket researchers say that the campaign follows threat activity detected since April. Last month, the same actor infiltrated npm with 35 packages that dropped information stealers and backdoors onto developers’ devices.
Timeline of the latest attack waves
Source: Socket
Overview of the attacks
Contagious Interview is a North Korean state-backed campaign that targets mostly developers with fake job offers to trick them into running malicious code on their systems.
The purpose varies from collecting sensitive information that allows breaching companies to stealing cryptocurrency assets.
The Node Package Manager (npm) is the default package manager for Node.js, a platform where developers publish and install JavaScript libraries and tools. It is widely used in web development, but also frequently exploited by threat actors for malware distribution.
Out of the 67 packages the threat actors uploaded onto npm this time, there are several that appear to mimic or blend the names of legitimate software projects and libraries, like:
... continue reading