BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers
Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.
The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers CL-STA-0240 and Famous Chollima.
The names of the malicious packages, which are no longer available for download from the package registry, are listed below -
- passports-js, a backdoored copy of the passport (118 downloads)
- bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
- blockscan-api, a backdoored copy of etherscan-api (124 downloads)
Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious pages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023.
This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.
The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect that's common to the two sets of packages is the continued effort on the part of the threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a persistent target.
Then last month, Stacklok said it detected a new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrencies and establish persistent access to compromised developer machines.
Palo Alto Networks Unit 42 told The Hacker News earlier this month the campaign has proven to be an effective way to distribute malware by exploiting a job seeker's trust and urgency when applying for opportunities online.
The findings highlight how threat actors are increasingly misusing the open-source software supply chain as an attack vector to infect downstream targets.
"Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem," Datadog said. "These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors."
Russian Espionage Group Targets Ukrainian Military with Malware via Telegram
Free, France’s second largest ISP, confirms data breach after leak
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
LowStrict-Transport-Security Multiple Header Entries (Non-compliant with Spec)
InformationalRetrieved from Cache
InformationalContent-Type Header Missing
InformationalStorable and Cacheable Content
InformationalGET for POST
LowInformation Disclosure - Debug Error Messages via WebSocket
InformationalSec-Fetch-Dest Header is Missing
MediumHTTP Only Site
InformationalEmail address found in WebSocket message
Free online web security scanner
