{
	"id": "42105e0b-72c3-49f6-a103-e8e018d857ed",
	"created_at": "2026-04-06T02:12:08.916667Z",
	"updated_at": "2026-04-10T13:11:50.994337Z",
	"deleted_at": null,
	"sha1_hash": "646e2064885f535853ba5050f7a09eb15749458c",
	"title": "Dependency hijacking: Dissecting North Korea�s new wave of DeFi-themed open source attacks targeting developers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 12226208,
	"plain_text": "Dependency hijacking: Dissecting North Korea�s new wave of DeFi-themed open source attacks targeting developers\r\nArchived: 2026-04-06 01:33:44 UTC\r\nExecutive Summary\r\nOver recent days, Stacklok has identified a new wave of malicious NPM package activity from DPRK-aligned threat actors\r\ntargeting developers and jobseekers in the cryptocurrency, NFT, and Web3 sectors. These packages are a key early stage\r\ncomponent of a complex, layered attack chain designed to harvest cryptocurrencies and establish persistent access to\r\ncompromised developer machines.\r\nThese objectives are achieved by embedding a cross-platform JavaScript information stealer and loader known as\r\nBeaverTail within copies of legitimate NPM packages. BeaverTail fetches InvisibleFerret, a multi-component Python\r\npayload responsible for further sensitive data exfiltration and remote control capabilities.\r\nThe attack chain is triggered when unsuspecting job applicants, often lured through fake recruitment efforts, are directed to\r\nclone GitHub repositories that include the malicious NPM packages as a dependency. This general form of social\r\nengineering via fake job interviews is a common initial access vector associated with North Korean threat actors, typically\r\nusing LinkedIn to establish contact.\r\nThe TTPs and attack infrastructure involved are consistent with a continuation of the campaign previously dubbed\r\nContagious Interview by PaloAlto Unit42 last year.\r\nThe threat actors behind the ongoing operation have recently experimented with delivering BeaverTail and InvisibleFerret\r\nvia a MacOS disk image (dmg) imitating MiroTalk, a video call application.\r\nHowever, this set of packages is largely in line with the earlier JavaScript-based attack variants, apart from utilizing different\r\nstyles of obfuscation when compared to previous samples.\r\nMalicious NPM packages detected\r\nethersscan-api\r\neslint-module-conf\r\neslint-scope-util\r\nTechnical Details\r\nTrusty Package Detection\r\nStacklok’s package analysis platform, Trusty, alerted us to three suspicious npm packages without a verified claim to a\r\nsource repository. All three were published by the same author, richard_dev . Our static code analysis system had also\r\nflagged the presence of obfuscated JavaScript code within all 3 of the packages.\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 1 of 11\n\nStarjacking Legitimate Repositories\r\nThe three identified malicious NPM packages were designed to mimic popular NodeJS packages:\r\n1. ethersscan-api falsely claimed to be associated with the legitimate etherscan-api repository, likely to typosquat\r\nunsuspecting users in the Ethereum community.\r\n2. eslint-module-conf linked itself to eslint-plugin-import, a package with over 22 million weekly downloads.\r\n3. eslint-scope-util claimed to be connected to eslint-scope, which had been deprecated in favor of a monorepo.\r\nAll three contained an additional, heavily obfuscated JavaScript source code file, sometimes hidden within subdirectories\r\nsuch as lib to evade detection.\r\nSocial Engineering\r\nPivoting from the npm packages we discovered, we were able to find an example of a GitHub repository utilized in\r\nsophisticated social engineering attacks involving job interviews in the DeFi or Web3 space. The threat actors will\r\nencourage targeted developers to clone a repository as part of a coding challenge or technical assessment, which will either\r\ndirectly contain malicious code or be dependent upon a malicious package.\r\nThe NFT_Marketplace project lists an earlier version of ethersscan-api (0.0.3, published 23rd August) as a dependency\r\nfor the private NodeJS package nuron-nextjs . Although newer versions of ethersscan-api have since been released, the\r\ncore functionality of the  package remains largely unchanged. Hence it is assumed that this case is still relevant as an\r\nillustration of possible malware delivery through dependencies in open source projects.\r\nHidden within /backend/utils/apiFeatures.js is a call to a function from the malicious NPM package.\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 2 of 11\n\nNothing looks egregiously out of place here, but checking the source code of the dependency package, we see that inside\r\ninit.js , hash-blob.js is pulled in with require and used as an argument in the exported function.\r\nBy contrast, the legitimate package does not contain such an import, and does not pass a hash parameter.\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 3 of 11\n\nThis means that whatever is contained in the injected code, hash-blob.js , will be executed when the victim of the fake job\r\nprocess runs the Node project after cloning it from GitHub. This level of layering helps evade detection.\r\nBeaverTail Stealer \u0026 Loader\r\nAll three of the analyzed packages contain almost identical variants of BeaverTail distributed as heavily-obfuscated\r\nJavaScript. Taking the most recent package uploaded as an example, resolve.js (view in full in our Jail repo), the\r\nfollowing obfuscation techniques are evident:\r\nSelf-invoking functions (IIFE)\r\nHexadecimal encoding\r\nControl flow obfuscation\r\nString manipulation\r\nThese methods are characteristic of obfuscation via javascript-obfuscator , a more basic option than those employed in\r\nearlier BeaverTail variants.\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 4 of 11\n\nRemoving the initial layers of obfuscation, the functionality of the script becomes more apparent. \r\nThe dual-purposes of stealing and loading subsequent stages were sufficiently visible enough to avoid fully deobfuscating\r\nthe script.\r\nInformation Stealing\r\nAfter gathering some basic system information, the BeaverTail script dives into its cross-platform infostealing capabilities,\r\ntargeting sensitive browser database files for credentials, and enumerating the machine’s browsers for cryptocurrency wallet\r\nextensions.\r\nExtension ID Extension Name\r\nnkbihfbeogaeaoehlefnkodbefgpgknn Metamask Wallet (Chrome)\r\nejbalbakoplchlghecdalmeeeajnimhm Metamask Wallet (Edge)\r\nfhbohimaelbohpjbbldcngcnapndodjp Binance Wallet\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TRON Wallet\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom Wallet\r\naeachknmefphepccionboohckonoeemg Coin98 Wallet\r\nhifafgmccdpekplomjjkcfgodnhcellj Crypto.com Wallet\r\njblndlipeogpafnldhgmapagcccfchpi Kaia Wallet\r\nacmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 5 of 11\n\ndlcobpjiigpikoobohmabehhmhfoodbb Argent X - Starknet Wallet\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet\r\nIt includes checks for MacOS-specific targets such as Solana ID files and iCloud Keychain.\r\nThe harvested files are then exfiltrated to a known North Korean C2 server, 95.164.17[.]24:1224 . This server has been\r\nassociated with state-sponsored operations for several months.\r\nThe blob posted to the C2 is prepended with the campaign ID and the machine hostname.\r\nLoader\r\nThe more critical aspect of the BeaverTail script is its ability to download and execute additional payloads.\r\nIn this case, a Python script with the extension .npl is downloaded from a remote server with a URL of the format\r\nhttp://\u003cc2\u003e:1224/client/\u003ccampaign_ID\u003e (e.g., 3/525 here) and saved directly into the user’s home directory (referenced by\r\nthe variable _0x10e868).\r\nThis is the first component of the multistage Python malware known as InvisibleFerret.\r\nExecution of the script is ensured by the download of a Python binary if it is not already installed.\r\nInvisibleFerret\r\nInvisibleFerret is a Python-based malware delivered in multiple stages:\r\nStage 1: Downloads and executes subsequent payloads based on the host OS.\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 6 of 11\n\nStage 2: Implements RAT (Remote Access Trojan) capabilities, including keylogging and system fingerprinting.\r\nStage 3: Executes browser-stealing operations, targeting stored credentials and sensitive data in the victim's browser.\r\nInitial Installer\r\nThis first script, .npl , is again heavily obfuscated. \r\nIt consists of an anonymous function that takes a single argument __ . It:\r\n1. Reverses the string __ .\r\n2. Decodes the reversed string from base64 format using base64.b64decode .\r\n3. Decompresses the base64-decoded data using zlib.decompress .\r\nKnowing this, we can iteratively extract the argument string and follow this decoding and inflation pattern to unwind 50\r\nlayers of encoding and compression, leaving us with the underlying script.\r\nOnce fully deobfuscated, the script fetches additional components from the attacker's C2 server and executes them,\r\ndepending on the host operating system.\r\nFor all operating systems, http://\u003cc2_server\u003e/payload/\u003ccampaign_id\u003e is fetched and written to a hidden path, .n2/pay\r\nunder the home directory, before being executed with subprocess.Popen .\r\nIf the OS is Darwin (MacOS), the script then exits after the first stage. For all other OS, a tertiary payload is retrieved from\r\nthe /brow/ path, saved to .b2/bow , and executed.\r\nRAT Capabilities and Backdoor\r\nThe second component, .n2/pay , contains the core RAT-like functionality of InvisibleFerret.\r\nMachine fingerprinting\r\nKeylogging and clipboard logging\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 7 of 11\n\nRemote command execution\r\nExecuting a tertiary component\r\nDownloading AnyDesk\r\nRegular check-ins with C2 server\r\nThe same compression and encoding routine used in the earlier stage has been applied here and can be removed in a similar\r\nfashion to extract the unobfuscated Python payload for analysis.\r\nFingerprinting\r\nInvisibleFerret gathers detailed information on the local host OS and hardware attributes, along with the geographic location\r\nassociated with the IP address, in order to fingerprint the victim.\r\nThe fingerprint is then crafted into JSON format and uploaded to the C2 server.\r\nKeylogging and Clipboard Monitoring\r\nThe libraries pyHook and pyperclip are utilized to continually log keystrokes and clipboard content upon copy and paste\r\noperations.\r\nBrowser Stealer\r\nThe other script downloaded by the first stage, bow , is executed using the ssh_run function.\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 8 of 11\n\nC2 Commands\r\nThe Shell class, a snippet of which can be seen below, defines many functions to allow the operator to interact with the\r\nagent. \r\nThe backdoor waits for instructions from the C2 server, which are JSON formatted and contain one or more of the 8\r\navailable arguments.\r\n1. Command execution\r\n2. Closing the beaconing client session\r\n3. Sending the logged keystrokes and clipboard data\r\n4. Running the browser stealer\r\n5. File upload to FTP\r\n6. Kill browser processes\r\n7. Download AnyDesk\r\n8. Exfiltrate specific user folders\r\nIt uploads the results of these commands in JSON over a socket connection.\r\nCross-Platform Browser Stealer\r\nWhilst the tertiary component, .n2/bow , is only downloaded if the host OS is not MacOS, the script itself contains\r\ncomprehensive cross-platform support. Unlike earlier Python payload files, this final script was not hidden behind a\r\ncompression routine, and is largely unobfuscated.\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 9 of 11\n\nIt consists of almost 500 lines of meticulous, documented data extraction functionality for Chrome, Edge, Brave, Opera, and\r\nYandex browsers. It interacts directly with browser databases using sqlite3 , implementing password decryption tailored\r\nfor each operating system.\r\nAnother key feature is the retrieve_web function, which queries the browser databases for credit card information.\r\nReporting\r\nAfter we confirmed all 3 NPM packages to be malicious, we reported our findings to the NPM Security team and the OSV\r\nmalicious packages database on 7th September. By 9th September they were removed from the NPM registry.\r\nDuring the period they were live, the packages were downloaded a combined 341 times:\r\nPackage Download count\r\nethersscan-api 91\r\neslint-module-conf 107\r\neslint-scope-util 143\r\nIt is likely a significant proportion of these downloads will have been from security tooling and automated tools, seeing as\r\nwe expect the attacks to be reasonably targeted, but we cannot confirm this. As such, the full extent of the compromise\r\nremains uncertain.\r\nConclusion\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 10 of 11\n\nDuring this investigation Stacklok uncovered a new variation of the combined BeaverTail and InvisibleFerret tooling used\r\nby DPRK-aligned threat actors in attacks abusing the open source supply chain.\r\nThe delivery mechanism - embedding JavaScript malware as a NodeJS dependency within a seemingly legitimate GitHub\r\nrepository - highlights the vulnerability of open-source ecosystems to such attacks. The additional malicious code which\r\nkicked off the infection chain was abstracted away from inspection by the user and, in many cases, automated security tools.\r\nWhile this incident involved the relatively simple case of a direct dependency - the complexity and resultant risk increases\r\nexponentially when considering transitive dependencies - indirect dependencies pulled in by third-party libraries. These\r\nnested dependencies increase the difficulty of identifying and mitigating security threats, expanding the attack surface.\r\nThreat actors are increasingly exploiting this web of complexity. The security of the open-source supply chain relies on\r\nmaintaining visibility and trust across every layer of the development process.\r\nIOCs\r\nFile\r\nName SHA256 ssdeep\r\n.npl b8a68c5c25e586319481603ddab11276f66965a4701f89abc181308edc1bdb53 96:I7XQcKxhwlRPKDU09c7RDXSi1z6V3821GppAqNMU\r\npay 2b7c7df496c6aff2f4339ad6b9dcc5bb43c81898d29332fd5378874f896a73dd 384:mBQ4EMdjMqJvfZbjLTjcamTfSioCph5ZX2hmzc2h1p\r\nbow d141bc9b5664a906ec501781edf7b7af2f8640b067fd90c7f36876cba764807b 192:HymQjtIkGN5V2kbeDA9rRbWfgjvG+LcIzfJ78pnS35l\r\nNetwork\r\nC2 Server: 95.164.17[.]24:1224\r\nSource: https://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nhttps://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20250206220041/https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers"
	],
	"report_names": [
		"dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441528,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/646e2064885f535853ba5050f7a09eb15749458c.pdf",
		"text": "https://archive.orkl.eu/646e2064885f535853ba5050f7a09eb15749458c.txt",
		"img": "https://archive.orkl.eu/646e2064885f535853ba5050f7a09eb15749458c.jpg"
	}
}