Return of the NPM Vulnerability, Node.js, Users Beware

The Opposite of the Fake North Korean IT Applicant?

There have been many news stories about companies being flooded with IT job applications from people that claim to be based in the US and other countries, but are actually North Korean based.  They are trying to evade sanctions and sometimes steal data or money from the unwitting companies which have hired them.  This has apparently become enough of a concern that the US Office of Public Affairs posted an official notification warning companies of this pattern of behaviour.   This is apparently not the only scam being run, there are also North Korean hackers masquerading as companies which are seeking to hire developers and try to trick them into running malicious code on their systems.

The code is hiding in Node Package Manager repositories, where developers grab JavaScript libraries and tools for Node.js coding.  The repositories, of which 67 have been identified, are named similarly to legitimate software projects and libraries but contain malware which has been dubbed XORIndex Loader.  These poisoned packages have been downloaded over 17,000 times, so the infection is spreading.  XORIndex loader sneaks onto the system at the same time the node.js package is installed, and phones home to a control server which then pushes out whatever malware the hackers feel like, invisibly infecting the hopeful job applicants machines.

Beware job offers which come out of the blue, or seem too good to be true!