BeaverTail Malware Found in npm Packages: Crypto Sector at Risk
Three malicious packages, uploaded to the npm repository in September 2024, contained the well-known BeaverTail malware—a JavaScript loader and data theft tool linked to a North Korean campaign named “Contagious Interview.”
The Datadog Security Research team is tracking this malicious activity under the codename “Tenacious Pungsan,” also known as CL-STA-0240 and Famous Chollima. The malware-laden packages have since been removed from the npm repository. They included:
- passports-js (a malicious copy of the “passport” library, 118 downloads);
- bcrypts-js (a malicious copy of “bcryptjs,” 81 downloads);
- blockscan-api (a malicious copy of “etherscan-api,” 124 downloads).
“Contagious Interview” is a months-long campaign in which threat actors deceive developers into downloading malicious files or using fake video conferencing applications under the guise of test assignments. This campaign was first detected in November 2023.
Such npm-based attacks have been observed previously. In August 2024, Phylum discovered other compromised packages, including temp-etherscan-api and telegram-con, which were used to deploy BeaverTail and a Python backdoor called InvisibleFerret. The ongoing impersonation of the etherscan-api package signals a sustained interest by cybercriminals in the cryptocurrency sector.
Additionally, in September 2024, Stacklok reported the detection of new malicious packages—eslint-module-conf and eslint-scope-util—designed to mine cryptocurrency and maintain persistent access to developers’ machines. According to Unit 42 (Palo Alto Networks), attackers are increasingly exploiting job seeker trust to disseminate malware through job listings and test assignments.
Experts emphasize the growing risks associated with open repositories. The manipulation of legitimate npm packages to insert malicious code has become a common tactic, and developers remain a prime target for North Korean hackers.