North Korean state-backed threat operation Tenacious Pungsan, also known as Famous Chollima and CL-STA-0240, has leveraged three now-removed malicious npm packages to facilitate the deployment of the BeaverTail information stealing malware, which has been used in the ongoing Contagious Interview attack campaign that has been aiming to compromise developers with malicious packages since last November, reports The Hacker News.
Most downloaded among the malicious packages was "blockscan-api," which is a backdoored copy of etherscan-api, followed by "passport-js," which is a backdoored passport copy, and the backdoored bcryptjs copy dubbed "bcrypts-js," an analysis from the Datadog Security Research team showed. "Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem. These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors," said Datadog. Such findings come weeks after Palo Alto Networks Unit 42 reported updated payloads being launched in recent Contagious Interview intrusions.
