Inside the "Contagious Interview" Campaign: Analyzing North Korea's Latest npm Supply Chain Attack

The New Face of Recruitment: Malware Disguised as a Coding Test

For software developers, the job market can be grueling. It involves endless interviews, coding challenges, and technical assessments. However, cybercriminals have weaponized this process. Security researchers have uncovered a fresh wave of the "Contagious Interview" campaign, a sophisticated operation attributed to North Korean threat actors.

In this latest iteration, attackers have published 26 malicious packages to the npm (Node Package Manager) registry. These packages are designed to look like legitimate developer tools or libraries, but they hide a dangerous payload: a cross-platform Remote Access Trojan (RAT) capable of compromising Windows, macOS, and Linux systems.

The Threat Landscape: From Fake Offers to Real Compromise

The attack vector is insidiously simple yet effective. Threat actors pose as recruiters or hiring managers from reputable tech companies. They reach out to developers, often via LinkedIn, and propose a technical interview. To "test the candidate's skills," they ask the developer to clone a repository or install specific npm packages to complete a task.

Once the developer executes the command to install these packages, the malware is deployed onto their machine. This isn't just a script kiddie attack; it is a state-sponsored operation aiming to steal intellectual property, source code, and credentials, likely to fund further regime operations or gain competitive advantages in the tech sector.

Technical Analysis: The Pastebin Dead Drop Resolver

What makes this specific wave of npm attacks notable is the use of a "Dead Drop Resolver" technique leveraging Pastebin. Traditionally, malware contains hardcoded IP addresses or domain names for its Command and Control (C2) servers. If defenders block that IP, the malware loses its ability to phone home.

In this campaign, the malware does not connect to a C2 server immediately. Instead, it reaches out to a seemingly benign URL on Pastebin.

1. Initial Beacon: The infected machine queries a specific raw Pastebin URL.
2. Dynamic Retrieval: The text content of that Pastebin paste contains the actual IP address or domain of the active C2 server.
3. Connection: The malware parses this text and then establishes a persistent connection to the C2.

This technique provides the attackers with immense agility. If a security team blocks a C2 IP, the attackers simply update the text on Pastebin. They do not need to recompile or redistribute the malware to the victims. The use of Pastebin also helps the traffic blend in with legitimate developer activity, as developers often use similar services to share code snippets or configuration files.

Furthermore, the payload is a cross-platform RAT, often written in Node.js or leveraging cross-platform scripting languages. This allows the attacker to execute shell commands, upload/download files, and capture keystrokes regardless of whether the victim is using a MacBook or a Windows workstation.

Detection and Threat Hunting

Detecting supply chain attacks requires a shift from simple signature-based detection to behavioral analysis. Security Operations Centers (SOCs) should hunt for anomalies in package installation and process execution.

1. Hunt for Suspicious npm Installs

Look for npm install processes that spawn unusual child processes or communicate with non-standard registry endpoints.

// KQL for Sentinel/Defender
DeviceProcessEvents
| where FileName in~ ("npm", "npm.cmd", "node.exe")
| where ProcessCommandLine contains "install"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (DeviceNetworkEvents
    | where RemotePort in (80, 443)
    | where RemoteUrl has "pastebin" or RemoteUrl has "raw.githubusercontent"
) on DeviceId, Timestamp
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteUrl, RemoteIP

2. Scan Node Modules for Pastebin References

If you suspect a compromise in your development environment, scan the node_modules folder for references to Pastebin or other dead-drop services.

# Bash script to grep node_modules for Pastebin references
find ./node_modules -type f -name "*.js" -exec grep -l "pastebin" {} \;

3. PowerShell Process Tree Analysis

The malware often uses PowerShell to execute commands on Windows. Investigate PowerShell instances spawned by Node.js with encoded commands.

# PowerShell to detect suspicious Node activity
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} | 
Where-Object { $_.Message -match 'Image.*node.exe' -and $_.Message -match 'ParentImage.*npm' } | 
Select-Object TimeCreated, Id, Message | Format-List

Mitigation Strategies

Defending against supply chain attacks requires a defense-in-depth approach focused on policy, validation, and network hygiene.

1. Strict Package Policies: Developers should never install packages provided directly by third parties during interviews unless they can verify the package's integrity on the official npm registry. Always check the number of downloads, last publish date, and maintainer links. If a package was published yesterday and has zero context, do not install it.

2. Network Segmentation and Filtering: Restrict access to Pastebin and other raw text hosting sites from development build machines unless strictly necessary. Implement DNS filtering to block known malicious domains associated with this campaign.

3. Software Composition Analysis (SCA): Integrate SCA tools into your CI/CD pipeline. These tools can flag malicious packages before they are ever built into your production environment.

4. Developer Education: Train your engineering staff on the "Contagious Interview" tactic. Ensure they know that legitimate recruiters rarely ask candidates to install arbitrary, unpublished, or new packages from the internet as part of a standard screening process.

Conclusion

The "Contagious Interview" campaign is a stark reminder that the software supply chain remains a primary target for advanced persistent threats. By leveraging social engineering and dynamic C2 infrastructure, North Korean actors continue to evolve their tactics. Vigilance, combined with robust threat hunting and strict developer hygiene, is the only effective defense against these sophisticated intrusions.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub