The North Korean threat actors behind the ongoing campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT ) loader.
” These latest samples employ hexadecimal string encoding to evade automated monitoring systems and manual code reviews, signaling a variation in the threat actors ‘ subterfuge techniques”, Socket security researcher Kirill Boychenko in a statement.
The packages in question, which were cooperatively downloaded more than 5, 600 times due to their removal, are listed below-
- empty-array-validator
- twitterapis
- dev-debugger-vite
- snore-log
- core-pino
- events-utils
- icloud-cod
- cln-logger
- node-clog
- consolidate-log
- consolidate-logger
The disclosure comes nearly a month after a set of six node plans were discovered distributing Beaver Neck, a JavaScript grabber that’s also capable of delivering a Python-based secret dubbed InvisibleFerret.
The end goal of the campaign is to invade designer systems under the guise of a job interview method, steal sensitive data, funnel financial assets, and maintain long-term access to affected systems.
The newly identified npm libraries masquerade as utilities and debuggers, with one of them – dev-debugger-vite – using a command-and-control ( C2 ) address previously flagged by SecurityScorecard as used by the Lazarus Group in a campaign codenamed in December 2024.
What makes these items stand out is some of them, such as events-utils and icloud-cod, are linked to Bitbucket libraries, as opposed to Git Hub. However, the icloud-cod deal has been found to be hosted within a file named “”, reiterating the danger writer’s use of interview-related themes to activating the infection.
An analysis of the packages, cln-logger, node-clog, consolidate-log, and consolidate-logger, has also uncovered minor code-level variations, indicating that the attackers are publishing multiple malware variants in an attempt to increase the success rate of the campaign.
Regardless of the changes, the malicious code embedded within the four packages function as a remote access trojan (RAT ) loader that’s capable of propagating a next-stage payload from a remote server.
” The Contagious Interview threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, Git Hub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down”, Boychenko said.
” The advanced persistent threat ( APT ) group is diversifying its tactics — publishing new malware under fresh aliases, hosting payloads in both GitHub and Bitbucket repositories, and reusing core components like BeaverTail and InvisibleFerret alongside newly observed RAT/loader variant”.
BeaverTail Drops Tropidoor
The disclosure comes as South Korean cybersecurity company AhnLab detailed a recruitment-themed phishing campaign that delivers Beaver Tail, which is then used to deploy a previously undocumented Windows backdoor codenamed Tropidoor. Artifacts analyzed by the firm show that BeaverTail is being used to actively target developers in South Korea.
The , which claimed to be from a company called AutoSquare, contained a link to a project hosted on Bitbucket, urging the recipient to clone the project locally on their machine to review their understanding of the program.
The application is nothing but an npm library that contains BeaverTail ( “tailwind. config. js” ) and a DLL downloader malware (” car. dll” ), the latter of which is launched by the JavaScript stealer and loader.
Tropidoor is a backdoor “operating in memory through the downloader” that’s capable of contacting a C2 server to receive instructions that make it possible to exfiltrate files, gather drive and file information, run and terminate processes, capture screenshots, and delete or wipe files by overwriting them with NULL or junk data.
An important aspect of the implant is that it directly implements Windows commands such as schtasks, ping, and reg, a feature previously also observed in another Lazarus Group malware called , itself a successor of (aka AIRDRY aka ZetaNile ).
” Users should be cautious not only with email attachments but also with executable files from unknown sources”, AhnLab .