North Korean Hackers Exploit NPM Packages to Steal Cryptocurrency and Sensitive Data

Veracode Threat Research has uncovered a sophisticated North Korean cryptocurrency theft operation that continues to evolve, building on campaigns previously reported in February and June 2024.

This latest iteration involves twelve malicious NPM packages, including cloud-binary, json-cookie-csv, cloudmedia, and nodemailer-enhancer, which were flagged by automated monitoring systems and subsequently removed from the NPM registry.

The attackers, suspected to be state-sponsored actors aiming to fund sanctioned activities, impersonate recruiters offering fake developer jobs.

During simulated interviews, victims are tricked into installing these packages as part of coding exercises, such as running unit tests that execute hidden malware.

This tactic exploits trust in the hiring process to deploy payloads that exfiltrate cryptocurrency wallet data, browser extension credentials, and other sensitive files from developers’ machines, potentially enabling corporate network breaches.

Targets Developers Through Fake Job Interviews

The malware, identified as variants of the Beavertail family, employs advanced ...