North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages

In a chilling continuation of the Contagious Interview campaign, North Korean state-sponsored threat actors are actively exploiting the npm ecosystem, using it as a delivery channel for the BeaverTail malware and a new Remote Access Trojan (RAT) loader. This campaign is attributed to the Lazarus Group, a well-known advanced persistent threat (APT) group.

The Malicious Packages

Security researcher Kirill Boychenko from Socket reports that these packages use hexadecimal string encoding to evade detection by automated scanners and manual reviewers.

Here are the 11 malicious packages, downloaded over 5,600 times before takedown:

• empty-array-validator
• twitterapis
• dev-debugger-vite
• snore-log
• core-pino
• events-utils
• icloud-cod
• cln-logger
• node-clog
• consolidate-log
• consolidate-logger

Some of these packages—like events-utils and icloud-cod—were linked to Bitbucket repositories (instead of GitHub), showcasing how the attackers are expanding their reach across multiple platforms. The icloud-cod package was found hosted inside a folder named "eiwork_hire", reiterating the recruitment-themed social engineering tactic.

Malware Capabilities

These packages contain loaders capable of:

• Executing remote JavaScript code via eval()
• Exfiltrating SSH keys, credentials, and financial data
• Installing second-stage payloads like InvisibleFerret (Python backdoor) and the newly discovered Tropidoor (Windows backdoor)

Tropidoor allows attackers to:

• Take screenshots
• Execute and kill processes
• Exfiltrate files
• Overwrite and wipe data
• Use native Windows commands (e.g., schtasks, ping, reg)

Attack Pattern

The malware campaign exploits the trust developers place in npm. Attackers pose as recruiters and lure victims into cloning infected projects from Bitbucket. These are disguised as legitimate job application tasks and contain the malicious BeaverTail in configuration files (tailwind.config.js) and DLL downloaders.

Defence Strategies for Developers and Organizations

1. Audit Your Dependencies

• Use tools like Snyk, npm audit, and Socket.dev to scan for known vulnerabilities and malicious behaviours.
• Avoid new or suspicious packages with low download counts or vague descriptions.

2. Limit Remote Code Execution

• Disable or restrict post-install scripts in npm where possible.
• Avoid running untrusted code without sandboxing.

3. Educate Teams

• Train developers to spot typosquatting and recruiter-based social engineering.
• Simulate phishing scenarios during onboarding or annually.

4. Code Review & Pen Testing

• Conduct regular source code audits and penetration testing to uncover risks before attackers do.

5. Isolate Build Environments

Prevent infected packages from spreading by isolating CI/CD pipelines from production assets.

About Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions (ICSS) is your trusted partner in building a safer digital future. We specialize in delivering advanced cybersecurity solutions designed to protect businesses from the ground up.

With our AI-powered platform SAVE and expert-led VAPT services, we help organizations detect vulnerabilities before attackers do, minimize risks, and maintain compliance with confidence.

At ICSS, we go beyond just securing systems — we empower teams, fortify infrastructures, and future-proof your digital environment.

At ICSS, we believe in not just protecting businesses—but preparing them for the future.

Ready to protect your digital future?

Explore our services at 👉 indiancybersecuritysolutions.com