Safeguard.sh
Threat Intelligence

North Korean Threat Actors Flood npm with Malicious Packages

In 2024, DPRK-linked groups dramatically escalated their campaign to compromise developers through malicious npm packages, using fake job offers and typosquatting to deploy infostealers and backdoors.

Yukti Singhal
Security Researcher
6 min read

Throughout 2024, North Korean state-sponsored threat actors, primarily tracked as Jade Sleet (Microsoft), TraderTraitor (CISA), and Lazarus Group (industry), have dramatically escalated their operations targeting the JavaScript and Node.js ecosystem. Phylum, Socket, and other package security firms have identified hundreds of malicious npm packages linked to DPRK campaigns, representing a sustained and evolving effort to compromise software developers.

This is not a new phenomenon. North Korean actors have targeted npm since at least 2022. But the 2024 campaigns show a level of scale, sophistication, and persistence that marks a significant escalation.

Campaign Overview

The DPRK npm campaigns in 2024 operate along two primary vectors:

Vector 1: Fake Job Interview Packages

The most prominent campaign, dubbed "Contagious Interview" by Palo Alto's Unit 42, targets software developers through fake job recruitment. The operation works as follows:

  1. DPRK operatives create convincing LinkedIn and GitHub profiles posing as recruiters from legitimate tech companies.
  2. They contact developers with attractive job offers, typically for remote positions at well-known companies.
  3. During the "interview process," candidates are asked to complete a coding challenge by cloning a GitHub repository or installing an npm package.
  4. The repository or package contains obfuscated malicious code that deploys an infostealer (typically "BeaverTail") and a backdoor ("InvisibleFerret").

The malicious packages often have legitimate-sounding names like dev-debugger-vite, events-utils, or auth-validator. They typically contain a functional code library with the malicious payload hidden in obfuscated post-install scripts or deeply nested dependency files.

Vector 2: Typosquatting and Dependency Confusion

Separately, DPRK actors publish packages with names designed to be mistaken for popular legitimate packages:

  • lodashs (typosquat of lodash)
  • reacte-router (typosquat of react-router)
  • axios-retryy (typosquat of axios-retry)
  • express-sesssion (typosquat of express-session)

These packages are designed to catch developers who make typos in their npm install commands or who do not carefully verify package names when adding dependencies.

Technical Analysis of Payloads

The malicious payloads delivered through these campaigns have evolved throughout 2024.

BeaverTail is a JavaScript-based infostealer that runs in the Node.js environment. It collects:

  • Browser credentials and cookies from Chrome, Firefox, and Brave.
  • Cryptocurrency wallet data (MetaMask, Phantom, Coinbase Wallet extensions).
  • SSH keys and git credentials from the developer's home directory.
  • Environment variables that may contain API keys and tokens.

InvisibleFerret is a Python-based backdoor that BeaverTail downloads as a second-stage payload. It provides:

  • Persistent remote access to the compromised machine.
  • Keylogging and clipboard monitoring.
  • File exfiltration capabilities.
  • The ability to download and execute additional payloads.

Later variants observed in mid-2024 added browser extension manipulation, injecting code into cryptocurrency wallet extensions to redirect transactions to attacker-controlled wallets.

Scale and Impact

The numbers from 2024 are stark:

  • Phylum identified over 300 malicious npm packages linked to DPRK campaigns between January and August 2024.
  • Socket reported detecting and flagging approximately 50 packages per month attributed to these campaigns.
  • The packages collectively accumulated over 50,000 downloads before detection and removal.
  • Multiple confirmed compromises of individual developers and at least two startup companies were publicly reported.

The financial motivation is clear. North Korea's cyber operations generate an estimated $1-2 billion annually, funding the regime's weapons programs. Cryptocurrency theft from compromised developers is a significant revenue stream, with the Lazarus Group alone attributed to over $600 million in cryptocurrency theft in 2023 (including the Ronin bridge hack).

Why Developers Are Targeted

Software developers are high-value targets for several reasons:

Access to code signing keys and deployment credentials: A compromised developer workstation often contains the credentials needed to push code to production, sign software releases, or access cloud infrastructure.

Cryptocurrency holdings: Developers in the Web3 space frequently hold significant cryptocurrency assets and have access to smart contract deployment keys.

Supply chain leverage: Compromising a developer who maintains popular open-source packages provides a potential vector for supply chain attacks affecting thousands of downstream users.

Trust in package managers: Developers routinely run npm install without scrutinizing every package. The npm ecosystem's culture of small, composable packages means that a typical project has hundreds of dependencies, making it impractical to manually review each one.

Detection Challenges

These campaigns are particularly difficult to detect because:

Packages are functional: Unlike crude typosquats that contain only malicious code, DPRK packages often include legitimate functionality alongside the hidden payload. A developer who installs the package and tests its documented features may not notice anything suspicious.

Obfuscation is sophisticated: The malicious code is typically obfuscated using multiple layers of encoding, minification, and string manipulation. Static analysis tools may not flag the code as suspicious because the obfuscation patterns are common in legitimate minified JavaScript.

Social engineering is convincing: The fake recruiter profiles are well-crafted, with realistic work histories, connections, and activity. Some campaigns use actual stolen identities of real recruiters.

Rapid package rotation: When a malicious package is detected and removed, the actors publish a new package with a different name within hours. The speed of iteration outpaces manual review processes.

Defensive Measures

For individual developers:

  • Be skeptical of unsolicited job offers that require installing packages or cloning repositories as part of the interview process. Legitimate companies use standard coding platforms like HackerRank or CoderPad for technical assessments.
  • Use a sandboxed environment (VM or container) for any code evaluation during job interviews.
  • Enable npm's --ignore-scripts flag by default and review install scripts before running them: npm config set ignore-scripts true.
  • Use lockfiles (package-lock.json) and verify package integrity with npm audit signatures.

For organizations:

  • Implement a private npm registry (Artifactory, Nexus, or npm Enterprise) that proxies the public registry and allows for security scanning and approval of new packages.
  • Use tools like Socket, Snyk, or Phylum that perform behavioral analysis on packages, detecting suspicious patterns like network calls in install scripts or file system access outside the package directory.
  • Monitor developer workstations for signs of compromise, particularly unexpected outbound connections, new browser extensions, and modifications to SSH or git credentials.
  • Establish clear policies for code review of new dependencies, including automated checks for typosquatting and recently published packages.

How Safeguard.sh Helps

Safeguard.sh provides automated defense against malicious package campaigns.

  • Package reputation analysis evaluates npm packages based on publication date, author history, download patterns, and behavioral characteristics, flagging suspicious packages before they enter your dependency tree.
  • Typosquatting detection identifies packages with names suspiciously similar to popular libraries, alerting developers before they install a malicious lookalike.
  • SBOM monitoring continuously tracks all packages in your software supply chain, alerting you when any package is flagged as malicious, deprecated, or compromised.
  • Policy gates can enforce organizational rules such as blocking packages published within the last 30 days, packages with no maintainers, or packages that execute scripts during installation.

The npm ecosystem delivers extraordinary productivity. But that productivity comes with supply chain risk that requires active management.

npm-securitynorth-koreamalicious-packages
Back to all articles

Related articles in Threat Intelligence

Threat Intelligence

Qilin Ransomware Supply Chain Tactics 2025

Qilin became a top ransomware operator in 2024-2025 by pairing edge-device exploitation with managed service provider compromise. Here is the supply chain breakdown.

April 11, 2026Read
Threat Intelligence

Lazarus Financial Sector Campaigns 2024-2025

Lazarus Group's 2024-2025 financial sector campaigns combined exchange compromises, DeFi exploits, and developer social engineering. Here is what defenders must know.

April 4, 2026Read
Threat Intelligence

Flax Typhoon Residential Proxy Supply Chain 2024

Flax Typhoon's Raptor Train botnet turned consumer IoT into a state-aligned proxy network. Here is the tradecraft, the takedown, and the supply chain lessons.

March 28, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.