The Socket Threat Research Team warns of ongoing North Korean cyber operations exploiting open-source npm packages to target Web3 and blockchain developers. These campaigns involve sophisticated supply chain attacks, fake personas, and malicious package impersonations linked to significant cryptocurrency theft. #NorthKoreanThreatActors #npmSupplyChain
Keypoints
- The Socket team uncovered over 338 malicious npm packages related to North Korean operatives since July 2025.
- The attackers use social engineering, fake LinkedIn job offers, and typosquatted dependencies to infect developers.
- Malicious payloads include loaders that decrypt obfuscated code and deploy backdoors like BeaverTail and InvisibleFerret.
- The operation is highly organized, continuously evolving, and driven by state resources focusing on cryptocurrency theft and credential harvesting.
- Deleting packages alone is ineffective; active publisher accounts allow re-uploading and persistent threat activity.