Home Security BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

by


Oct 28, 2024Ravie LakshmananMalware / Threat Intelligence

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.

The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers CL-STA-0240 and Famous Chollima.

Cybersecurity

The names of the malicious packages, which are no longer available for download from the package registry, are listed below –

  • passports-js, a backdoored copy of the passport (118 downloads)
  • bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
  • blockscan-api, a backdoored copy of etherscan-api (124 downloads)

Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People’s Republic of Korea (DPRK) that involves tricking developers into downloading malicious packages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023.

BeaverTail Malware

This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.

The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect that’s common to the two sets of packages is the continued effort on the part of the threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a persistent target.

Cybersecurity

Then last month, Stacklok said it detected a new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrencies and establish persistent access to compromised developer machines.

Palo Alto Networks Unit 42 told The Hacker News earlier this month the campaign has proven to be an effective way to distribute malware by exploiting a job seeker’s trust and urgency when applying for opportunities online.

The findings highlight how threat actors are increasingly misusing the open-source software supply chain as an attack vector to infect downstream targets.

“Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem,” Datadog said. “These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex