Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview. The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan , which is also known by the monikers CL-STA-0240 and Famous Chollima. The names of the malicious packages, which are no longer available for download from the package registry, are listed below – passports-js, a backdoored copy of the passport (118 downloads) bcrypts-js, a backdoored copy of bcryptjs (81 downloads) blockscan-api, a backdoored copy of etherscan-api (124 downloads) Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious pages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023. This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret. The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect…Read More