North Korean Hackers Hide Multi-Stage Malware in npm Package Targeting Developers

North Korea's Lazarus Group is targeting software developers through fake job recruiters on LinkedIn, Fiverr, and UpWork, delivering a three-stage malware attack via a malicious npm package.

Security researchers at OpenSourceMalware uncovered the campaign, which uses the package tailwindcss-forms-kit - disguised as a legitimate Tailwind CSS utility - to steal credentials, cryptocurrency wallets, and cloud access while establishing persistent backdoor control.

The Attack Chain

The operation, dubbed "Contagious Interview," begins with social engineering rather than code.

Threat actors pose as recruiters offering jobs at well-known tech or cryptocurrency companies. After building trust through multiple interview rounds, victims are asked to download a "coding challenge" or "interview tool" - actually the malicious npm package.

Stage One: JavaScript Backdoor

Once installed, the package executes an obfuscated JavaScript payload connecting to command-and-control infrastructure. It performs extensive credential theft across Windows, macOS, and Linux:

• Browser passwords from Chrome, Edge, Brave, Opera, Yandex
• Windows DPAPI credential decryption
• macOS Keychain databases
• Shell history files
• Cryptocurrency wallets (MetaMask, Phantom, Coinbase Wallet, Trust Wallet)

The malware also harvests cloud credentials from:

• ~/.aws
• ~/.azure
• ~/.config/gcloud

Persistence is established via a Windows registry run key disguised as an NVIDIA update process.

Stage Two: OtterCookie Deployment

The first-stage payload downloads OtterCookie, a malware strain previously attributed to Lazarus Group. This variant shows evolution with expanded cloud credential targeting, reflecting Lazarus's growing focus on developers and DevOps environments.

Key indicators include Socket.IO for C2 communication and identical cryptocurrency wallet extension targeting as previous variants.

Stage Three: InvisibleFerret Backdoor

The final payload is InvisibleFerret, a modular backdoor attributed to Lazarus's Famous Chollima subgroup. Delivered as a PyInstaller executable with embedded Python 3.10 runtime, it provides:

• Persistent C2 connectivity
• System-wide keylogging
• Clipboard monitoring and crypto address manipulation
• File system monitoring and exfiltration
• Multi-channel exfiltration over HTTP, FTP, and Telegram

Campaign Scale

Active since at least 2023, Contagious Interview shows no signs of slowing:

• Hundreds of malicious GitHub repositories
• Hundreds of malicious npm packages
• Continuous publication of new lures after takedowns

Why Developers Are Targeted

By compromising individual developers, Lazarus gains access to:

• Corporate source code repositories
• Cloud infrastructure credentials
• Cryptocurrency wallets and exchanges
• Software supply chains

The United Nations estimates DPRK-linked hacking has generated billions of dollars through cryptocurrency theft to fund weapons programs.

Recommendations

• Treat unsolicited recruiter messages with suspicion
• Never run interview-related code outside isolated VMs
• Monitor for unusual outbound connections from dev systems
• Watch for access to browser databases, cloud credential directories, and wallet files
• Verify recruiters independently before engaging