Malicious npm Package Lures Job Seekers and Exfiltrates Sensitive Data

A self-proclaimed Ukrainian Web3 team targeted a community member during an interview’s first round by instructing them to clone and run a GitHub repository named EvaCodes-Community/UltraX.

Suspecting foul play, the individual contacted the SlowMist security team, who conducted a thorough analysis and uncovered malicious components embedded within the project’s dependencies. With consent, SlowMist issued a public advisory highlighting the risks.

Threat in a Fake Interview Process

The repository, appearing as a legitimate open-source project, had recently updated its package.json to replace the deprecated redux-ace@1.0.3 with a new package, rtk-logger@1.11.5.

The former had been delisted by npm’s security team for containing malware, while the latter, freshly published, linked to a now-deleted GitHub source, amplifying suspicions.

Dissection revealed the malice in the package’s /rtk-logger/lib/utils/smtp-connection directory, where index.js imports modules, reads a ...