BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

In September 2024, three malicious packages were discovered on the npm registry containing BeaverTail malware, a JavaScript downloader and information stealer associated with a North Korean campaign known as Contagious Interview. This campaign particularly targets software developers by tricking them into downloading seemingly innocuous packages or video conferencing applications as part of a coding evaluation. The Datadog Security Research team, monitoring this activity under the name Tenacious Pungsan, identified the malicious packages, which have since been removed from the registry.

The identified malicious packages included “passports-js,” a compromised version of the passport package with 118 downloads; “bcrypts-js,” a backdoored copy of bcryptjs with 81 downloads; and “blockscan-api,” which mimics etherscan-api and had 124 downloads. Contagious Interview has been ongoing since its inception in November 2023, demonstrating a year-long effort by the Democratic People’s Republic of Korea (DPRK) to exploit developers’ trust.

This incident marks a continuation of previous tactics utilized by DPRK-associated threat actors, particularly the distribution of BeaverTail through npm packages. An earlier report in August 2024 by Phylum highlighted a series of similar compromised npm packages paving the way for BeaverTail and another backdoor named InvisibleFerret. The vulnerability of the cryptocurrency sector has been underscored, with attackers frequently replicating the etherscan-api package to exploit its popularity.

In addition to these packages, researchers from Stacklok reported last month that they had found new counterfeit packages—eslint-module-conf and eslint-scope-util—specifically designed to steal cryptocurrencies and maintain persistent access to infected machines. This highlights an evolving trend in the misuse of open-source software by adversaries looking to infiltrate developer environments through social engineering and trust exploitation.

The consistent mimicry of legitimate npm packages underlines a tactic frequently leveraged by threat actors in the software development ecosystem. As detailed by Datadog, copying and backdooring legitimate packages remains prevalent, showcasing a targeted approach towards individual developers. The DPRK-linked campaigns, particularly Contagious Interview, emphasize the significant risks developers face in the current digital landscape, where malicious actors exploit both technical vulnerabilities and human factors.

Overall, the findings outlined in recent security reports shed light on the increasing sophistication of cyber threats in the open-source software supply chain. This evolution not only jeopardizes the integrity of software development practices but also poses significant challenges for security professionals seeking to protect against such evolving risks. The targeting of developers as valuable assets in these cyber campaigns underscores the need for enhanced awareness and protective measures within the software development community.