BeaverTail Malware Resurfaces in Malicious npm Packages Concentrating on Builders

Oct 28, 2024Ravie LakshmananMalware / Menace Intelligence

Three malicious packages printed to the npm registry in September 2024 have been discovered to include a identified malware referred to as BeaverTail, a JavaScript downloader and data stealer linked to an ongoing North Korean marketing campaign tracked as Contagious Interview.

The Datadog Safety Analysis staff is monitoring the exercise below the title Tenacious Pungsan, which can also be identified by the monikers CL-STA-0240 and Well-known Chollima.

The names of the malicious packages, that are not accessible for obtain from the bundle registry, are listed beneath –

• passports-js, a backdoored copy of the passport (118 downloads)
• bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
• blockscan-api, a backdoored copy of etherscan-api (124 downloads)

Contagious Interview refers to a yearlong-campaign undertaken by the Democratic Individuals’s Republic of Korea (DPRK) that includes tricking builders into downloading malicious pages or seemingly innocuous video conferencing purposes as a part of a coding take a look at. It first got here to gentle in November 2023.

This isn’t the primary time the risk actors have used npm packages to distribute BeaverTail. In August 2024, software program provide chain safety agency Phylum disclosed one other bunch of npm packages that paved the way in which for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.

The names of the malicious packages recognized on the time have been temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One facet that is widespread to the 2 units of packages is the continued effort on the a part of the risk actors to imitate the etherscan-api bundle, signaling that the cryptocurrency sector is a persistent goal.

Then final month, Stacklok mentioned it detected a brand new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – which might be designed to reap cryptocurrencies and set up persistent entry to compromised developer machines.

Palo Alto Networks Unit 42 instructed The Hacker Information earlier this month the marketing campaign has confirmed to be an efficient strategy to distribute malware by exploiting a job seeker’s belief and urgency when making use of for alternatives on-line.

The findings spotlight how risk actors are more and more misusing the open-source software program provide chain as an assault vector to contaminate downstream targets.

“Copying and backdooring legit npm packages continues to be a typical tactic of risk actors on this ecosystem,” Datadog mentioned. “These campaigns, together with Contagious Interview extra broadly, spotlight that particular person builders stay useful targets for these DPRK-linked risk actors.”