BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers
Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.
The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers CL-STA-0240 and Famous Chollima.
The names of the malicious packages, which are no longer available for download from the package registry, are listed below -
- passports-js, a backdoored copy of the passport (118 downloads)
- bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
- blockscan-api, a backdoored copy of etherscan-api (124 downloads)
Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious pages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023.
This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.
The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect that's common to the two sets of packages is the continued effort on the part of the threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a persistent target.
Then last month, Stacklok said it detected a new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrencies and establish persistent access to compromised developer machines.
Palo Alto Networks Unit 42 told The Hacker News earlier this month the campaign has proven to be an effective way to distribute malware by exploiting a job seeker's trust and urgency when applying for opportunities online.
The findings highlight how threat actors are increasingly misusing the open-source software supply chain as an attack vector to infect downstream targets.
"Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem," Datadog said. "These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors."
source: TheHackerNews
Free security scan for your website
Top News:
CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Windows 11 KB5046740 update released with 14 changes and fixes
November 22, 2024APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware
November 23, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024