Dream Interview, GitHub Project, and npm install: Three Steps Before Your PC Becomes Someone Else’s
When “remote work” means remote control — of your computer.
A new wave of malicious npm packages has been discovered, tied to the ongoing Contagious Interview campaign, which is believed to originate from North Korea. This was reported by cybersecurity firm Socket, which specializes in vulnerability analysis for software ecosystems.
As part of the attack, threat actors uploaded 35 malicious packages from 24 different npm accounts. Combined downloads have already exceeded 4,000. Some of the affected packages mimic legitimate libraries like react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, node-orm-mongoose, and others. As of now, six of these packages are still available for download on npm.
According to Socket, all infected packages contain a hidden loader called HexEval, which is silently embedded into the system upon installation. Once active, it collects information about the infected environment and proceeds to download additional malware — namely, a JavaScript stealer called BeaverTail.
BeaverTail acts as a bridge to deliver and activate a Python backdoor named InvisibleFerret, which grants attackers remote access and enables the collection of sensitive data from compromised devices.
According to Kirill Boychenko of Socket, this multi-stage structure allows the malware to bypass conventional security checks, including static code analysis and manual review. In some cases, one of the attackers’ npm accounts was also found distributing a cross-platform keylogger, enabling the capture of all keystrokes to dramatically increase the scope of data exfiltration.
The Contagious Interview operation was first exposed in late 2023 by Palo Alto Networks’ Unit 42. Its goal is to compromise developers' systems in order to steal cryptocurrency and proprietary data. The threat actor behind it is tracked under various aliases: CL-STA-0240, DeceptiveDevelopment, DEVPOPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
In newer variants of the campaign, attackers use a social engineering tactic dubbed ClickFake Interview. In this scheme, targets are sent malicious GitHub or Bitbucket links under the pretense of receiving technical tasks as part of a job interview — with the compromised npm packages embedded in those projects.
Experts highlight that the attackers exploit developers' natural trust in recruiters. The attack often begins with fake recruiter accounts on LinkedIn, who offer job interviews and send victims code assignments laced with malware.
Victims usually run these projects in unsecured environments, outside of containers or sandboxes, making infection trivial. This combination of social engineering, supply chain compromise, and defense evasion demonstrates a high level of planning and constant adaptation by the threat actors.
Socket warns that North Korean hacker activity reveals a maturing attack strategy that leverages developer infrastructure itself. By injecting malware into trusted open-source libraries, disguising payloads as technical assignments, and operating through fake job offers, they effectively bypass traditional defenses and specifically target software engineers at their weakest point: during the job hunt.
