North Korea's Hacking Conveyor: Phishing, 338 npm Packages, and Hidden C2 Infrastructure

North Korea's hacking conveyor: Phishing, 338 npm packages, 180+ npm aliases, and 15+ C2 endpoints create an entire ecosystem and exploit numerous common development components. We have previously seen North Korean groups infiltrate IT companies, as well as massive compromises of popular npm packages; however, this investigation shows an extremely thorough and consistent scheme and an unprecedented number of malicious npm packages and C2 endpoints.

"Contagious Interview is not a cybercrime hobby, it operates like an assembly line or a factory-model supply chain threat."

Weex Banner

Social Engineering as the Main Entry Point for System Compromise

Another incident report highlighted social engineering as a key threat vector, and here it is one of the main components. A developer receives a message from an alleged recruiter with a "take-home" assignment. The link leads to a repository, an archive, or a document. When preparing the environment, dependency installation starts, which includes a malicious module. The victim believes they are completing a test, but in fact trigger a stage in the supply chain and hand control to a loader.

Delivery and Execution Are Tied to Installation

The launch points are placed where they are guaranteed to trigger during normal development: lifecycle hooks like postinstall, code that runs on import, and small cross-platform wrappers. The current wave is moving away from direct droppers toward encrypted loaders. A small module hardcodes AES-256-CBC with a fixed key and IV, and a large ciphertext is stored inside the package, often in the LICENSE file. At the install or import stage, the contents are decrypted and passed to eval in memory. As a result, the second stage doesn't remain on disk as a readable artifact, and static checks see fewer signatures than in the case of ordinary bundles.

After the initial detonation, BeaverTail loads into memory. It registers the host, establishes communication over HTTP(S) and, if necessary, via WebSocket, requests tasks, and pulls the second stage InvisibleFerret. InvisibleFerret provides cross-platform access on Windows, macOS, and Linux, expands the set of actions on the target, and maintains persistence. The command-and-control network is masked as service calls: the front end is placed on public platforms with routes like /api/ipcheck or /process-log, the back end runs on a VPS with static IPs. Such a traffic profile easily blends with everyday developer and CI telemetry if outbound connections are allowed by default.

The Attack Surface Is Broader Than the Usual List of a Few Libraries

Compromise is achieved through dependencies that developers install reflexively across very different stacks: server and tooling modules, the frontend toolchain and build utilities, as well as Web3 SDKs and ecosystem tools. Both recognizable names and typo variants and lookalikes occur, which is critical in prototypes and take-home tasks, where autocomplete and muscle memory often replace careful verification.

Illustrative examples from analyzed cases include utilities for logging, request parsing, and CSS theming, as well as bundles where a multistage infostealer and an AES-encrypted loader were identified at install time. It is important to understand the scale: specific names illustrate the approach but don't exhaust the coverage, which is measured in hundreds of publications and is regularly updated.

A Separate Weak Point Appears at the Ecosystem Governance Level

After one malicious publication is removed, the account can continue publishing under the same name and through the same distribution channel, which allows a new package with the same goals to return quickly. For defense, this means neutralization must follow the operator rather than the artifact name: clustering by infrastructure traits and code patterns yields a greater effect than takedowns one by one.

The final economic goal is clear. Theft of cryptoassets and secrets with subsequent laundering through cascades of mixers, cross-chain swaps, and low-visibility networks. However, the targeted focus is on engineers who are more likely to have access to wallets, keys, and infrastructure configurations.

How Should Development Teams Respond to Such a Scale of Vulnerabilities?

Although this is an extremely large compromise of the entire development ecosystem, it provides invaluable takeaways for development teams, where each step of the kill chain has observable signs and technical intervention points. Before integrating code, it is important to treat any external artifact as a potential execution point, pin versions, and verify provenance and maintainer trust. At installation time, restrictions on postinstall and other automatic hooks are critical, as are blocks on decrypt-and-eval and unexpected outbound connections, as well as minimizing the network privileges of installation processes.

At runtime on the network side, it is useful to single out traffic profiles with routes that imitate health-checks and logs on public hosting platforms, and correlate them with C2 indicators. Taken together, these measures address exactly the nodes that sustain the scheme's scalability: routine dependency installation, automatic execution during install/import, and easy masking of outbound traffic.

For a complete picture, I recommend reviewing the exhaustive list of Indicators of Compromise (IOCs), which includes 180+ phishing email addresses, 15+ C2 endpoints, 300+ malicious npm packages, and 180+ npm aliases.

Weex Banner

Conclusion

It seems we are seeing a concentration of threats and vulnerabilities that have been developing in recent years: social engineering provides reach, npm provides a standard delivery mechanism, encrypted loaders remove part of the static controls, C2 masquerading fits ordinary developer network profiles, and the second stage executes objectives on the target. This means that each of these links requires critical attention. Stay tuned for the latest updates and opportunities in the new economy, crypto industry, and blockchain developments.