North Korean hackers uploaded over 300 malicious code packages targeting blockchain companies to the mainstream software library npm

Socket, a US cybersecurity company, stated in a report that a North Korean hacker group uploaded over 300 malicious code packages to the mainstream software library npm. Disguised as misspelled versions of popular libraries (such as express and hardhat), they implanted malware capable of stealing passwords and encrypted wallet keys. The operation was named "Infectious Interview," with hackers impersonating technical recruiters to target blockchain and Web3 developers. Some malicious packages remained online after approximately 50,000 downloads. Researchers traced the code back to the North Korean hacker group through code patterns, and their loader scripts used memory decryption technology to avoid leaving traces. Although GitHub has strengthened verification and removed some malicious packages, supply chain security threats continue to spread. Security experts recommend that development teams treat each dependency installation as a potential code execution and require scanning and verification before merging it into the project.