Contagious Interview: North Korean Hackers Target Crypto Devs with Fake Job NPM Malware

North Korean actors execute Contagious Interview campaign targeting cryptocurrency, Web3, and AI developers. Fake job assessments deliver trojanized NPM packages installing BeaverTail and InvisibleFerret backdoors. Malware surgically replaces MetaMask extensions stealing wallet credentials.

Threat actors hide JavaScript payloads in technical interview challenges. Developers execute malicious code during skills tests. Initial beacon contacts C2 retrieving encoded servers and campaign IDs. Streamlined payloads minimize detection while downloading Python backdoors.

Seongsu Park documented advanced MetaMask manipulation generating valid HMAC-SHA256 signatures. Trojanized extensions inject 15 malicious lines into submitPassword function. Victims unlock wallets normally while attackers harvest master passwords and encrypted vaults.

Attack Chain Stages

Multi-stage operation targets developer workflows.

1. Fake job posting offers crypto/AI positions
2. Technical assessment requires NPM package execution
3. JavaScript beacon contacts C2 infrastructure
4. Backdoor download delivers BeaverTail/InvisibleFerret
5. MetaMask replacement injects credential stealer
6. Data exfiltration sends wallet files to attackers

Primary Malware Components

Specialized payloads deliver persistent access.

Malware	Language	Primary Function	Platforms
BeaverTail	JavaScript	Lightweight backdoor, C2	Cross-platform
InvisibleFerret	Python	File enumeration, exfiltration	Windows/macOS/Linux

Backdoors search for wallet, metamask, private, mnemonic, password keywords across all drives.

MetaMask Extension Attack

Surgical browser modification bypasses tamper protection.

1. Scan Chrome/Brave for MetaMask extensions
2. Download trojanized version from C2
3. Generate HMAC-SHA256 signatures
4. Replace legitimate extension files
5. Inject 15 lines into submitPassword()
6. Capture vault data on wallet unlock

Fake extension maintains identical functionality. Detection requires signature verification.

Infection Indicators

Deploy immediate hunting rules across environments.

JavaScript Beacon:

Encoded C2 server retrieval
Campaign ID transmission
Second-stage download initiation
Browser extension enumeration

File Exfiltration:

• Wallet.dat, mnemonic.txt, private.key searches
• Password manager database extraction
• Development .env secret harvesting
• Browser profile MetaMask folder changes

Network Traffic:

• NPM package domains during interviews
• Python backdoor beaconing patterns
• High-entropy JavaScript downloads

Developer-Targeted Vectors

Campaign exploits recruitment desperation.

Target Profiles:

• Cryptocurrency developers
• Web3 blockchain engineers
• AI/ML specialists
• Junior/mid-level engineers

Delivery Methods:

GitHub interview repositories
Discord job channels
LinkedIn recruiter messages
Telegram crypto groups

Enterprise Risk Factors

Development environments expose maximum damage.

High-Value Targets:

• Unlocked MetaMask with mainnet funds
• Private keys for hot wallets
• Development environment secrets
• Password managers with corporate credentials

Compromise Impact:

Crypto portfolio drainage
Seed phrase harvesting
Corporate credential theft
Supply chain compromise potential

NPM Package Protections

Immediate supply chain security required.

Pre-execution Controls:

• Block npm install from untrusted sources
• Require code review before execution
• Scan packages with multiple engines
• Verify package maintainers

Runtime Monitoring:

Network connections during npm install
Suspicious JavaScript downloads
Python process spawning from Node.js
Browser extension file modifications

Browser Extension Hardening

Protect MetaMask from surgical replacement.

Verification Steps:

• Check extension ID matches official store
• Verify HMAC signatures on update
• Monitor extension file modification times
• Audit Chrome/Brave profile directories

Recovery Process:

1. Disconnect all dApps immediately
2. Backup wallet via official recovery
3. Remove ALL browser extensions
4. Reinstall MetaMask from Chrome Store
5. Generate new seed phrase
6. Transfer remaining funds immediately

Threat Actor Attribution

North Korean operation shows sophisticated evolution.

Tactical Maturity:

• Multi-platform backdoor development
• Cryptocurrency-specific targeting
• Extension signature forgery
• Recruitment vector exploitation

Campaign Naming: Contagious Interview reflects fake job delivery.

Immediate Response Actions

For Compromised Developers:

1. Isolate development machine
2. Kill BeaverTail/InvisibleFerret processes
3. Disconnect MetaMask from all dApps
4. Generate new wallet seed phrases
5. Full system reimage recommended

For Enterprises:

• Hunt across all developer workstations
• Review recent NPM package installs
• Audit browser extension configurations
• Reset all cryptocurrency wallet access

Protection Framework

Layered defenses block campaign progression.

Recruitment Process:

• Verify job postings through corporate channels
• Never execute untrusted NPM packages
• Use isolated assessment environments
• Require signed code from recruiters

Development Environment:

Containerized npm install execution
Network egress filtering during builds
Browser extension whitelisting
Wallet disconnect during development

FAQ