‘Contagious Interview’ Lures Developers

State-sponsored threat actors from the Democratic People’s Republic of Korea (DPRK) have been linked to a sophisticated social engineering campaign targeting software developers. The operation, dubbed the ‘Contagious Interview’, leverages fake job opportunities to trick developers into downloading and executing malicious npm packages. Attackers, posing as recruiters, initiated contact with potential victims on professional platforms such as GitHub and LinkedIn before moving the conversation to an encrypted messaging app like Telegram.

As part of this fabricated hiring process, the developers were directed to a GitHub repository containing a supposed coding challenge or questionnaire. This repository served as the primary delivery mechanism for the malware, designed to compromise the developer’s machine upon execution.

An Automated Malware Distribution System

The GitHub repositories provided to the targets contained malicious packages published to the public npm registry. Security firm Phylum, which discovered the campaign, identified several of these packages, including ‘quest-components-karrot’, ‘p-palette’, and ‘d-logo’. When a developer installed the package using a standard command like ‘npm install’, obfuscated code within the package would download and execute a second-stage payload from a remote server.

The attackers demonstrated a rapid and persistent operational tempo. After one set of malicious packages was identified and removed, new ones were quickly published under different author names. This continuous publication of new, slightly altered malware led researchers to describe the operation as a malicious npm package factory. The tactics, techniques, and procedures observed in this campaign align with previously identified activity from North Korean threat groups.

Source: https://www.darkreading.com/application-security/contagious-interview-malicious-npm-package-factory