North Korean Hackers Hide Multi-Stage Malware in npm Package Targeting Developers
North Korea's Lazarus Group is targeting software developers through fake job recruiters on LinkedIn, Fiverr, and UpWork, delivering a three-stage malware attack via a malicious npm package.
Security researchers at OpenSourceMalware uncovered the campaign, which uses the package tailwindcss-forms-kit - disguised as a legitimate Tailwind CSS utility - to steal credentials, cryptocurrency wallets, and cloud access while establishing persistent backdoor control.
The Attack Chain
The operation, dubbed "Contagious Interview," begins with social engineering rather than code.
Threat actors pose as recruiters offering jobs at well-known tech or cryptocurrency companies. After building trust through multiple interview rounds, victims are asked to download a "coding challenge" or "interview tool" - actually the malicious npm package.
Stage One: JavaScript Backdoor
Once installed, the package executes an obfuscated JavaScript payload connecting to command-and-control infrastructure. It performs extensive credential theft across Windows, macOS, and Linux:
- Browser passwords from Chrome, Edge, Brave, Opera, Yandex
- Windows DPAPI credential decryption
- macOS Keychain databases
- Shell history files
- Cryptocurrency wallets (MetaMask, Phantom, Coinbase Wallet, Trust Wallet)
The malware also harvests cloud credentials from:
~/.aws~/.azure~/.config/gcloud
Persistence is established via a Windows registry run key disguised as an NVIDIA update process.
Stage Two: OtterCookie Deployment
The first-stage payload downloads OtterCookie, a malware strain previously attributed to Lazarus Group. This variant shows evolution with expanded cloud credential targeting, reflecting Lazarus's growing focus on developers and DevOps environments.
Key indicators include Socket.IO for C2 communication and identical cryptocurrency wallet extension targeting as previous variants.
Stage Three: InvisibleFerret Backdoor
The final payload is InvisibleFerret, a modular backdoor attributed to Lazarus's Famous Chollima subgroup. Delivered as a PyInstaller executable with embedded Python 3.10 runtime, it provides:
- Persistent C2 connectivity
- System-wide keylogging
- Clipboard monitoring and crypto address manipulation
- File system monitoring and exfiltration
- Multi-channel exfiltration over HTTP, FTP, and Telegram
Campaign Scale
Active since at least 2023, Contagious Interview shows no signs of slowing:
- Hundreds of malicious GitHub repositories
- Hundreds of malicious npm packages
- Continuous publication of new lures after takedowns
Why Developers Are Targeted
By compromising individual developers, Lazarus gains access to:
- Corporate source code repositories
- Cloud infrastructure credentials
- Cryptocurrency wallets and exchanges
- Software supply chains
The United Nations estimates DPRK-linked hacking has generated billions of dollars through cryptocurrency theft to fund weapons programs.
Recommendations
- Treat unsolicited recruiter messages with suspicion
- Never run interview-related code outside isolated VMs
- Monitor for unusual outbound connections from dev systems
- Watch for access to browser databases, cloud credential directories, and wallet files
- Verify recruiters independently before engaging
