Datadog Security Research uncovered three backdoored npm packages (passports-js, bcrypts-js, blockscan-api) delivering BeaverTail to job-seekers as part of the Contagious Interview campaign linked to North Korean actors. The campaign uses obfuscated code and a shared infrastructure to steal cryptocurrency wallet data and browser-stored credentials, and the packages were removed from npm shortly after discovery. #BeaverTail #ContagiousInterview
Keypoints
- Three malicious npm packages discovered: passports-js, bcrypts-js, and blockscan-api.
- These packages contained samples of BeaverTail malware, linked to North Korean threat actors.
- The malware is part of the Contagious Interview campaign targeting job-seekers in the US tech industry.
- Malicious packages were backdoored copies of legitimate npm packages.
- Code obfuscation techniques were used to hide malicious behavior in the packages.
- Datadog’s GuardDog tool identified the malicious packages through continuous monitoring.
MITRE Techniques
- [T1027] Obfuscated Files or Information – Obfuscated lines used to conceal malicious behaviors. ‘[The obfuscated line found in passports-js, shown in the following image, uses all but the last of these techniques.]’
- [T1195] Supply Chain Compromise – ‘is a backdoored copy of another package, etherscan-api.’
- [T1003] Credential Dumping – ‘Targets sensitive information stored in browser caches and login keychains.’
- [T1041] Data Exfiltration – ‘Exfiltrates stolen data to attacker-controlled C2 servers.’
- [T1071] Command and Control – ‘Communicates with C2 servers for data exfiltration and malware updates.’
Indicators of Compromise
- [IP addresses] Data exfiltration, etc – 95.164.17[.]24
- [NPM authors] context – superdev727, intelliman
- [Emails] context – [email protected]
- [Packages published] context – passports-js, bcrypts-js, blockscan-api