Malicious Package

Overview tailwind-mainanimation is a malicious package. Upon installation, it silently injects obfuscated JavaScript into the end of legitimate project configuration files like tailwind.config.js. To evade detection, the malware rewrites git history, forging timestamps so the malicious commit...

North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code VS Code projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new...

Lazarus Group Embed New BeaverTail Variant in Developer Tools

North Korea’s Lazarus Group deploys a new BeaverTail variant to steal credentials and crypto using fake job lures, dev tools, and smart contracts...

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads. "The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host...

North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware

The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset. That's according to new findings from Cisco Talos, which said recent...

NK’s Famous Chollima Use BeaverTail and OtterCookie Malware in Job Scam

North Korea's Famous Chollima is back, merging BeaverTail and OtterCookie malware to target job seekers. Cisco Talos details the new threat. Keylogging, screen recording, and cryptocurrency wallet theft detected in an attack...

DPRK Hackers Use ClickFix to Deliver BeaverTail Malware in Crypto Job Scams

Threat actors with ties to the Democratic People's Republic of Korea aka DPRK or North Korea have been observed leveraging ClickFix-style lures to deliver a known malware called BeaverTail and InvisibleFerret. "The threat actor used ClickFix lures to target marketing and trader roles in...

North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages

The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan RAT loader. "These latest samples employ hexadecimal...

North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS

The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process. "Targets are typically asked to communicate with an interviewer through a link that throws a...

BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview. The Datadog Security Research team is...

N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret. The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed Contagious Interview tha...

Malicious code in eslint-scope-util (npm)

The package contains the BeaverTail infostealer malware associated with DPRK threat actors. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c97eb42ab9ab02fd3a0e93acf449bb0fc75b1af462f6221cfca5d3b14588a0fb Any computer that has this package installed or running shoul...

MAL-2024-8845 Malicious code in eslint-module-conf (npm)

The package contains the BeaverTail infostealer malware associate with DPRK threat actors. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 57ba9b08d4ba893169691f9b674d05dc209e43e0932a266fbac6479a5e1dc398 Any computer that has this package installed or running should...

MAL-2024-8846 Malicious code in eslint-scope-util (npm)

The package contains the BeaverTail infostealer malware associated with DPRK threat actors. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c97eb42ab9ab02fd3a0e93acf449bb0fc75b1af462f6221cfca5d3b14588a0fb Any computer that has this package installed or running shoul...

Malicious code in eslint-module-conf (npm)

The package contains the BeaverTail infostealer malware associate with DPRK threat actors. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 57ba9b08d4ba893169691f9b674d05dc209e43e0932a266fbac6479a5e1dc398 Any computer that has this package installed or running should...

MAL-2024-8847 Malicious code in ethersscan-api (npm)

The package contains the BeaverTail infostealer malware associated with DPRK threat actors. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2bdf32a4e45ba09760610d3f87cf8cfdae4d386a4ee4df99f1973ab577373620 Any computer that has this package installed or running shoul...

North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems. The activity cluster, dubbed DEVPOPPER and linked to North Korea, has been found to have singled out...

North Korean Hackers Update BeaverTail Malware to Target MacOS Users

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea DPRK have delivered as part of prior cyber espionage campaigns targeting job seekers. The artifact in question is an Apple macOS disk...

Bogus npm Packages Used to Trick Software Developers into Installing Malware

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEVPOPPER, linking it to North Korean threat...

North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns

North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world. The activity clusters have been codenamed Contagious...