Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages

2025-06-25 Socket

https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages

Thumbnail for Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages

Socket attributes a continuing North Korean Contagious Interview supply-chain campaign to 35 malicious npm packages published across 24 accounts, including six packages that remained live and had more than 4,000 downloads. The packages target developers and job seekers through LinkedIn recruiter lures and coding assignments, pressuring victims to run projects locally and sometimes outside containers while screen-sharing. Their HexEval loader hex-encodes module names and C2 URLs, collects host metadata, posts environment data to Vercel-hosted endpoints, and conditionally retrieves BeaverTail, which can steal browser and cryptocurrency data and pull the InvisibleFerret backdoor. The report also identifies a cross-platform keylogger package and infrastructure such as log-server-lovat.vercel.app, ip-check-server.vercel.app, ip-check-api.vercel.app, and 172.86.80.145:1224, showing an active and adaptive DPRK-linked developer-targeting operation.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN outlook.com 2018-09-06 2026-04-17
URL https://log-server-lovat.vercel… 2025-06-25 2025-10-10
URL https://ip-check-server.vercel.… 2025-06-25 2025-10-10
HASH e58864cc22cd8ec17ae35dd810455d6… 2025-06-25 2025-06-25
HASH 6e09249262d9a605180dfbd0939379b… 2025-06-25 2025-06-25
HASH 30043996a56d0f6ad4ddb4186bd09ff… 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
EMAIL [email protected] 2025-06-25 2025-06-25
URL https://ip-check-api.vercel.app… 2025-06-25 2025-06-25
URL http://ip-check-server.vercel.a… 2025-06-25 2025-06-25
DOMAIN natalie.dev 2025-06-25 2025-06-25
DOMAIN hiring.dev 2025-06-25 2025-06-25
IPv4 172.86.80.145 2025-06-25 2025-06-25

Related Actors

Related Reports

2025-11-26 • 70% Match
#NPM #ContagiousInterview #OtterCookie #T1082 #T1119 #T1005 #T1587.001 #T1041 #T1113 #T1608.001 #T1195.002 #T1115 #T1083 #T1497 #T1056.001 #T1059.007 #T1036 #T1204.002 #T1555.003 #T1583.006 #T1547.001 #T1539 #T1583.001 #T1656 #T1105 #T1204.005 #T1571 #T1657 #T1587 #T1585 #T1555.001 #T1546.016 #T1217
Shares tags: NPM, ContagiousInterview, T1082 • Shares 1 IOC • Same author: Socket
« Back