Breaking: North Korean Cyberattackers Uses 11 npm Packages to Spread BeaverTail Malware

Hackers Target Developers Using Fake Job Interviews

North Korean hackers are spreading dangerous malware called BeaverTail. They use a sneaky trick — pretending to offer job interviews to software developers. This method is called the “Contagious Interview” campaign.

The hackers have now reached the npm ecosystem. Npm is a popular website where developers download code packages. These packages help them build software faster and easier. But some of the packages are fake. They look useful but contain hidden malware. When developers install them, their computers get infected.

The hackers made and uploaded 11 fake packages on npm. These looked like helpful tools for developers. Some had names like twitterapis, core-pino, and debugger-vite. People downloaded these packages over 5,600 times before they were removed. Once installed, the packages infected computers with malware. This malware could steal data, spy on users, and control systems from far away.

The attackers designed the attack to fool software developers during what looks like a job hiring process. They lure victims into opening these malicious packages by using interview-related names or code directories, like “eiwork_hire,” which hint at employment. This trick allows the hackers to silently break into the developer’s system.

Malicious Code Hides Behind Fake Tools

Hackers hide the 11 harmful npm packages as tools or debuggers. These looked like normal tools that programmers use. They linked some packages, like events-utils and icloud-cod, to Bitbucket. Bitbucket is a less popular code site than GitHub. This made the packages look more real. It also helped the hackers avoid quick detection.

Behind the scenes, these packages hide dangerous code. This code worked like a remote access trojan (RAT). A RAT lets hackers control infected computers from far away. The bad packages could download and run more code from the internet. They used a JavaScript function called eval() to do this.This method is risky and is often used by hackers.

Once the hackers gained access, they could do almost anything — steal sensitive files, download other malware, or even monitor the victim’s screen. The malware even included a secret Python-based backdoor tool called InvisibleFerret, which helps attackers maintain control over the device for a long time.

Some of the infected packages, such as cln-logger, node-clog, consolidate-log, and consolidate-logger, had slight differences in their code, showing that the hackers were trying out different versions of their malware to improve their success rate. This makes it harder for security systems to detect and block them.

Critical Vulnerabilities: The Dark Side of Pacemaker Technology

BeaverTail and Tropidoor: A New Malware Duo

Security researchers have seen the main malware, BeaverTail, before. But now, they found it spreading in new and smarter ways. This includes using npm packages. BeaverTail can steal information. It can also launch another harmful program called Tropidoor. Tropidoor is a new Windows backdoor. It has not been seen before. It gives hackers even more control over infected computers.

Recently, security experts in South Korea found a similar attack. In this case, hackers used a fake job interview to trick people again. They sent phishing messages with BeaverTail malware hidden inside. This attack mainly targeted developers in South Korea. The goal was to steal private data and financial information.

Some of the malicious servers used by the hackers are no longer active. But the infected code was made to fetch new data from those servers. This means the hackers could send any malware to infected computers at any time. That makes this threat very dangerous.

This new wave of attacks proves how skilled and determined these hackers are. By hiding malware in tools that developers trust and use every day, they are able to quietly invade software supply chains, one line of code at a time. This campaign shows that even a simple-looking package on npm could hide something sinister, especially when combined with clever tricks like fake job offers.

How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?

Renuka Bangale
Renuka Bangale
Renuka is a distinguished Chartered Accountant and a Certified Digital Threats Analyst from Riskpro, renowned for her expertise in cybersecurity. With a deep understanding of cybercrimes, malware, cyber warfare, and espionage, she has established herself as an authority in the field. Renuka combines her financial acumen with advanced knowledge of digital threats to provide unparalleled insights into the evolving landscape of information security. Her analytical prowess enables her to dissect complex cyber incidents, offering clarity on risks and mitigation strategies. As a key contributor to Newsinterpretation’s information security category, Renuka delivers authoritative articles that educate and inform readers about emerging threats and best practices.

TOP 10 TRENDING ON NEWSINTERPRETATION

“Pay more and enjoy nothing”—Newsom torches Trump’s tariff push as costs for food, cars, and flights soar

California Governor Gavin Newsom has strongly criticized President Donald...

Eric Trump explodes on Newsmax — claims Biden tried to break up Donald and Melania’s marriage

Eric Trump has sparked fresh controversy after making a...

Republicans brace as AOC’s rising momentum threatens to upend 2026 and 2028 elections

Republicans warn their party not to underestimate Representative Alexandria...

WestJet Reveals Passenger Data Breach Raising Security Concerns

Canadian airline WestJet has confirmed that some passenger information...

Japanese beer giant Asahi confirms cyberattack halts shipping and ordering in Japan temporarily

Japanese beer giant Asahi has confirmed a cyber attack...

Leaked emails expose Epstein’s secret hand in Israel–Mongolia security pact with Barak

A new set of leaked emails shows Jeffrey Epstein...

Award stage turns battlefield as Harris brands Trump an unchecked, incompetent and unhinged President

Kamala Harris, the former vice president and 2024 Democratic...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...

The privacy-first app that just blew past 350,000 new users a day

Explosive Growth Surprises Users Arattai, the messaging app developed by...

Federal firepower hits AOC’s Queens district as FBI targets Roosevelt Avenue crime empire

The FBI has moved into action in Queens, New...

Republicans brace as AOC’s rising momentum threatens to upend 2026 and 2028 elections

Republicans warn their party not to underestimate Representative Alexandria...

WestJet Reveals Passenger Data Breach Raising Security Concerns

Canadian airline WestJet has confirmed that some passenger information...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...

Related Articles

Popular Categories

error: Content is protected !!