North Korea’s Sneaky “Fake Interview” npm Malware Attack Targets Developers
Security expert Bill Toulas found something pretty sneaky – and, okay, kind of clever, though definitely bad: North Korean hackers are using fake interviews to trick software developers. They’re sending out messages offering remote work, and then asking developers to download some code as a test. Sounds harmless, right? Wrong.
That code is actually malware, designed to steal information. So, if you’re a developer hoping for a sweet remote gig and get a DM from a recruiter out of the blue with a project, just be extra careful. You might be about to get more than you bargained for.
What’s going on with these phony job interviews?
It’s become quite a trend. Bill Toulas, who digs deep into cyber-espionage, claims this is just the newest version of the “Contagious Interview Campaign.” In essence, these internet spies (munching on something tasty perhaps kimchi?) pretend to be recruiters on LinkedIn offering incredible job opportunities. But watch out, it’s a setup!
Here’s the process:
- They present you with a coding challenge.
- The test uses an npm package – one that seems normal.
- You install it. And boom! Malware. Your computer gets compromised.
Inside the Malicious Payloads
Socket Threat Research broke it down. These fake npm packages do some real damage, including:
- BeaverTail: an info-stealer that swipes your browser data, crypto wallets, and more.
- InvisibleFerret: a creepy little backdoor that lets attackers snoop, steal files, and even take screenshots.
- A cross-platform keylogger that tracks every keystroke — yep, like your private passwords.
These threats are super sneaky, using tools like:
- react-plaid-sdk, reactbootstraps
- node-orm-mongoose
- chalk-config
- nextjs-insight
- vite-plugin-next-refresh
…and many more. Some mimic popular libraries with typosquatted names. So if you thought you were installing chalk, but it was chalk-config, surprise! You invited malware to your system.
How It Works (Without the Complicated Terms)
- You receive a “test project” on Bitbucket.
- You start an npm package with HexEval Loader inside.
- This package reaches out to the hackers’ control server, runs eval() (yep, the risky one), and installs BeaverTail.
- BeaverTail then sets up InvisibleFerret. Now the hackers can view your screen.
- Some systems also get a keylogger, which watches every key you press.
If you are a developer — note!
If anyone asks you to execute code outside a container or VM as part of a “recruitment process,” do not do it. Ever.
This isn’t a “one and done” occurrence. As Bill Toulas mentions (seriously, good malware intel … where does this guy get his info?), this is not, by any stretch of the imagination, the first rodeo for these hackers. March saw them do an npm campaign that mirrors this one — and they show no signs of slowing down.
What Can You Do
- Always sandbox or virtualize unknown code.
- Validate npm packages — double-check names and authors.
- Do not succumb to pressure tactics at interviews.
- Keep a healthy skepticism about “too good to be true” job offers.
Thanks once more to Bill Toulas for the continuous research work that keeps bringing these cyber threat anomalies to the forefront, such as ‘fake interviews’. Remember also: Just because someone says they are with “Global Tech Recruiters Inc.” does not mean they are not North Korean operatives in disguise.
For more cyber security news, stay tuned to MalVirus.
