Three malicious packages uploaded to the npm registry were discovered to harbor BeaverTail, a JavaScript downloader and information stealer associated with a continuing North Korean campaign known as Contagious Interview.
The packages—passports-js, bcrypts-js, and blockscan-api collectively amassed 323 downloads, and have been linked to threat actors from the Democratic People’s Republic of Korea (DPRK), also known as North Korea.
According to a report from Palo Alto Networks’ Unit 42, the BeaverTail malware is associated with an ongoing cyber campaign dubbed Contagious Interview, which specifically targets job-seekers in the U.S. tech industry. In this scheme, victims are lured into participating in fictitious job interviews where the malware is delivered disguised as part of an interview task.
Datadog Security Research has attributed the identified samples to a single threat actor designated as “Tenacious Pungsan.” The name references the Pungsan dog, native to North Korea, to symbolize the nation-state threat actor cluster involved.
Increasing Concerns Over Open-Source Software Security
The findings highlight a growing concern over the security of the open-source software supply chain. Attackers increasingly exploit this landscape to compromise legitimate packages or publish new ones that harbor malicious code. In many cases, they employ namesquatting, a tactic where malicious package names closely resemble legitimate ones to confuse developers.
Datadog Security Research actively monitors the npm and PyPI ecosystems for ongoing software supply chain attacks, utilizing a command-line scanner named GuardDog. This tool has helped catalog over 1,700 malicious packages in the past two years.
Discovery Timeline
The alarming trend began in September 2024, when versions 0.7.0 and 0.7.1 of passports-js were flagged for manual review due to suspicious obfuscated JavaScript code. This code was found in an otherwise benign source file and appeared to be a backdoored version of the legitimate passport package, a widely used authentication framework for Express applications.
Subsequently, it was discovered that bcrypts-js was similarly a backdoored copy of the popular bcryptjs library. Notably, both passports-js and bcrypts-js contained identical obfuscated lines of code.
Two days later, blockscan-api was flagged for similar issues, revealing another obfuscated backdoored version of the legitimate etherscan-api, which provides an interface to the Etherscan API.
Despite the quick removal of passports-js and bcrypts-js, which occurred shortly after the initial discovery, blockscan-api and its associated user account remained active until 9 October 2024. Passports-js, bcrypts-js, and blockscan-api were downloaded 118, 81, and at least 124 times, respectively.
BeaverTail Malware Characteristics
Analysis revealed that the obfuscated malware contained in these packages is a variant of the BeaverTail malware family, which is known to target sensitive information, including cryptocurrency wallet data and credit card information stored in browser caches. BeaverTail was first identified by Palo Alto Networks’ Unit 42 in late 2023 and is used by DPRK-linked actors as part of the Contagious Interview campaign.
The malware’s obfuscation technique involves altering the code to conceal its true purpose, complicating automated analysis and detection. Datadog found that the malicious packages shared significant code behaviors and communication patterns with previously reported BeaverTail samples.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.