North Korean hackers are stepping up their efforts to attack Western tech companies by hiding malicious code in the npm software repository. Cybersecurity firm Socket has identified a new wave of 67 malicious packages, which are part of an ongoing campaign they’ve dubbed “Contagious Interview.”
The scheme is more sophisticated than just hoping someone accidentally downloads the bad code. The main attack happens on social and professional networks like LinkedIn, Telegram, or Discord. There, the hackers pose as recruiters or HR managers from major tech companies and reach out to software developers with appealing job offers.
They lead the unsuspecting developers through a fake interview process, which ends with a final “test assignment.” This test requires the job seeker to download and run a specific npm package, which is secretly loaded with malware. Once run, the developer’s device is compromised.
While this is the primary method, the packages have still been downloaded over 17,000 times, creating a wide net for potential victims. Security researchers describe the fight against this campaign as a “whack-a-mole” game. As soon as defenders identify and remove the malicious packages, the hackers quickly upload new, slightly altered versions to continue their attacks.
This type of scam fits North Korea’s well-known pattern of using cyberattacks for espionage and financial gain. The hackers are either trying to steal valuable company secrets and intellectual property or looking to steal cryptocurrency. The stolen funds are often used to finance the state’s operations and its nuclear weapons program.
