Intrusions exploiting nefarious npm packages and the BeaverTail malware have been launched by North Korean threat actors as part of their persistent targeting of software developers, according to The Hacker News.
Eleven utility- and debugger-spoofing npm packages, which have amassed over 5,600 downloads before their removal, have been leveraged by Lazarus Group-linked hackers to facilitate the deployment of a remote access trojan loader as part of the ongoing Contagious Interview campaign, a report from Socket Security revealed. While the specifics of the second-stage malware remain uncertain, the loader's code revealed remote JavaScript retrieval and execution capabilities, enabling the distribution of any malware of their choice, with Socket Security researchers observing the repurposing of BeaverTail and InvisibleFerret in the attacks. Meanwhile, another analysis from the AhnLab Security Intelligence Center on BeaverTail malware attacks against South Korean developers showed the payload being used to spread the novel Tropidoor backdoor for Windows, with one of the adopted commands previously seen in the LightlessCan malware of the Lazarus Group.
