BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.

The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers CL-STA-0240 and Famous Chollima.

The names of the malicious packages, which are no longer available for download from the package registry, are listed below -

• passports-js, a backdoored copy of the passport (118 downloads)
• bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
• blockscan-api, a backdoored copy of etherscan-api (124 downloads)

Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious pages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023.

This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.

The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect that's common to the two sets of packages is the continued effort on the part of the threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a persistent target.

Then last month, Stacklok said it detected a new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrencies and establish persistent access to compromised developer machines.

Palo Alto Networks Unit 42 told The Hacker News earlier this month the campaign has proven to be an effective way to distribute malware by exploiting a job seeker's trust and urgency when applying for opportunities online.

The findings highlight how threat actors are increasingly misusing the open-source software supply chain as an attack vector to infect downstream targets.

"Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem," Datadog said. "These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors."