BeaverTail Malware Resurfaces in Malicious npm Packages Focusing on Builders

Oct 28, 2024Ravie LakshmananMalware / Risk Intelligence

Three malicious packages revealed to the npm registry in September 2024 have been discovered to include a recognized malware known as BeaverTail, a JavaScript downloader and knowledge stealer linked to an ongoing North Korean marketing campaign tracked as Contagious Interview.

The Datadog Safety Analysis staff is monitoring the exercise below the title Tenacious Pungsan, which can be recognized by the monikers CL-STA-0240 and Well-known Chollima.

Cybersecurity

The names of the malicious packages, that are not out there for obtain from the bundle registry, are listed beneath –

  • passports-js, a backdoored copy of the passport (118 downloads)
  • bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
  • blockscan-api, a backdoored copy of etherscan-api (124 downloads)

Contagious Interview refers to a yearlong-campaign undertaken by the Democratic Folks’s Republic of Korea (DPRK) that includes tricking builders into downloading malicious packages or seemingly innocuous video conferencing purposes as a part of a coding check. It first got here to mild in November 2023.

BeaverTail Malware

This isn’t the primary time the risk actors have used npm packages to distribute BeaverTail. In August 2024, software program provide chain safety agency Phylum disclosed one other bunch of npm packages that paved the way in which for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.

The names of the malicious packages recognized on the time had been temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One facet that is widespread to the 2 units of packages is the continued effort on the a part of the risk actors to imitate the etherscan-api bundle, signaling that the cryptocurrency sector is a persistent goal.

Cybersecurity

Then final month, Stacklok mentioned it detected a brand new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – which are designed to reap cryptocurrencies and set up persistent entry to compromised developer machines.

Palo Alto Networks Unit 42 informed The Hacker Information earlier this month the marketing campaign has confirmed to be an efficient method to distribute malware by exploiting a job seeker’s belief and urgency when making use of for alternatives on-line.

The findings spotlight how risk actors are more and more misusing the open-source software program provide chain as an assault vector to contaminate downstream targets.

“Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem,” Datadog mentioned. “These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

Recent articles