In short
- More than 300 malicious code packages were uploaded to npm in what researchers call the ‘Contagious Interview’ campaign.
- The fake recruitment lures targeted Web3 and crypto developers and steals login credentials and wallet keys.
- Security experts warn that attacks on the software supply chain are becoming a tool of choice for government actors.
A US cybersecurity company says North Korean hackers have turned one of the world’s most widely used software libraries into a malware delivery system. In a report last week, researchers said Electrical socketa supply chain security firm, said they found it more than 300 malicious code packages uploaded to the npm registrya central repository used by millions of developers to share and install JavaScript software.
The packages – small pieces of reusable code used in everything from websites to crypto applications – are designed to look innocuous. But once downloaded, they are installed malware that can steal passwords, browser data, and cryptocurrency wallet keys. Socket said the campaign, which they “Contagious interview”, was part of a sophisticated operation of North Korean state hackers posing as tech recruiters to target developers working in blockchain, Web3 and related industries.
Why it matters: npm is essentially the backbone of the modern web. By compromising this, attackers can sneak malicious code into numerous downstream apps. Security experts have warned for years that such “software supply chain” attacks are among the most dangerous in cyberspace, because they spread invisibly through legitimate updates and dependencies.
The trail to North Korea
Socket researchers tracked the campaign through a cluster of similar package names: misspelled versions of popular libraries such as emphatically, dotenvAnd safety helmet– and through code patterns linked to previously identified North Korean malware families known as Beavertail And InvisibleFerret. The attackers used encrypted ‘loader’ scripts that decrypted and executed hidden payloads directly in memory, leaving few traces on disk.
The company put it roughly 50,000 downloads of the malicious packages occurred before many were removed, although some remain online. The hackers also used fake LinkedIn recruiter accountsa tactic consistent with previous cyber espionage campaigns in the DPRK, documented by the US Cybersecurity and Infrastructure Security Agency (CISA) and previously reported in Declutter. The ultimate targets, according to the researchers, were machines with access data and digital wallets.
While Socket’s findings align with reports from other security groups and government agencies linking North Korea to cryptocurrency thefts totaling billions of dollars, independent verification of every detail – such as the exact number of compromised packages – remains pending. Still, the technical evidence and patterns described are consistent with previous incidents attributed to Pyongyang.
Npm’s owner GitHub has said it removes malicious packages when discovered and improves account verification requirements. But the pattern, the researchers say, is crazy: disable one set of malicious packages, and hundreds more will soon take their place.
For developers and crypto startups, the episode underlines how vulnerable the software supply chain has become. Security researchers urge teams treat each “npm install” command as a potential code executionscan dependencies before merging them into projects and use automated audit tools to detect tampered packages. The strength of the open source ecosystem – its openness – remains its greatest weakness when adversaries decide to weaponize it.
Generally intelligent Newsletter
A weekly AI journey narrated by Gen, a generative AI model.
