When npm install Gets You Hacked: Simulating the Famous Chollima Job Scam Campaign
Fri, Jul 11, 2025 • 2 min read
When npm install Gets You Hacked: Simulating the Famous Chollima Job Scam Campaign
A red team simulation inspired by North Korean APT group Famous Chollima, demonstrating how malicious npm packages can be weaponized in fake job recruitment campaigns targeting developers.
Introduction
In this post, we'll explore how threat actors can leverage the npm ecosystem to deliver malicious payloads through seemingly legitimate job recruitment campaigns. This technique has been used by real-world APT groups, making it a critical area of concern for developers and security professionals.
The Attack Vector
The attack begins with a fake job posting that requires candidates to install a specific npm package as part of the "technical assessment." This package appears legitimate but contains malicious code that executes upon installation.
Step 1: The Bait
The attacker creates a convincing job posting on platforms like LinkedIn or job boards, targeting developers with specific skills. The posting includes instructions to install a package:
npm install @company/assessment-tool
Step 2: The Package
The malicious package contains code that:
- Exfiltrates environment variables
- Steals SSH keys and credentials
- Establishes a backdoor connection
- Performs lateral movement reconnaissance
Detection and Mitigation
Organizations should implement:
- Package scanning and analysis
- Network monitoring for suspicious outbound connections
- Developer security training
- Least privilege access controls
Conclusion
This attack demonstrates the importance of vetting all dependencies, even those from seemingly legitimate sources. Always verify package sources and review code before installation.