North Korean Malicious npm Packages: Detecting Contagious Interview

Overview of the Contagious Interview Expansion

Security researchers have identified a significant escalation in a persistent APT campaign attributed to North Korean state-sponsored actors. According to The Hacker News, a total of 26 malicious packages were recently discovered on the npm registry, representing a new iteration of the ‘Contagious Interview’ activity cluster. This campaign typically involves Phishing developers via social media platforms like LinkedIn, masquerading as recruiters who invite targets to participate in technical coding assessments that require downloading malicious software.

This latest discovery highlights a sophisticated Supply Chain Attack vector where the attackers move beyond direct file sharing to poisoning the ecosystem itself. The packages are designed to look like legitimate utility libraries, but they serve as a conduit for a cross-platform Remote Access Trojan (RAT) designed to exfiltrate sensitive data from development environments.

Technical Analysis of Malicious npm Packages

The Lazarus Group and associated North Korean clusters have refined their TTP to evade detection by automated scanners. The primary mechanism found in these 26 packages involves a two-stage infection process. Upon installation, the package executes a post-install script that initiates the first stage of the malware.

A significant finding in the recent Pastebin C2 dead drop resolver analysis conducted by researchers is how the malware identifies its command infrastructure. Instead of hardcoding a C2 server—which would be easily flagged by EDR solutions—the malware reaches out to a specific Pastebin URL. This URL acts as a ‘dead drop resolver,’ containing an encoded string that, when decoded, provides the actual IP address or domain of the attacker’s server. By leveraging a trusted domain like Pastebin, the attackers significantly increase the likelihood that their initial beaconing remains undetected by basic network filters.

The payload itself is capable of various malicious activities, including Privilege Escalation attempts once a foothold is established. The malware scans the local environment for sensitive files, such as .env files, SSH keys, and cryptocurrency wallet configurations, which are then compressed and sent to the retrieved C2 address. This facilitates Lateral Movement within the enterprise network if the developer has high-level access to production systems or cloud environments.

North Korean Malicious npm Packages Mitigation and Defence

Defending against these targeted supply chain threats requires a layered security approach that encompasses both technical controls and user awareness. Organizations looking for how to detect Contagious Interview npm packages should focus on unusual outbound traffic patterns. Specifically, monitoring for Node.js processes (node.exe or node) initiating connections to Pastebin, GitHub Gists, or other text-sharing platforms is a high-fidelity IoC for this campaign.

To strengthen the SOC response and general posture, teams should consider the following steps:

• Implement Dependency Scanning: Utilize tools that compare project manifests against known databases of malicious packages. Any package identified as part of the Contagious Interview campaign must be removed immediately.
• Network Egress Filtering: In a Zero Trust environment, developer machines should be restricted from reaching out to unauthorized external repositories or code-sharing sites. Use a SIEM to alert on connections to Pastebin from non-browser applications.
• Reviewing MITRE ATT&CK Framework Alignments: Map observed behaviors to the MITRE ATT&CK framework, specifically focusing on T1195.001 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools).
• Developer Training: Educate staff on the risks of ‘recruitment-themed’ phishing. Developers should be cautious of any interviewer who insists on the installation of specific npm packages or custom software for a technical test.

By prioritizing these mitigations, organizations can reduce their attack surface and protect against the evolving threat posed by North Korean cyber operations.