Npm Packages Masquerade as Benign UI Libraries in North Korea’s “Contagious Interview” Supply-Chain Attack

The Security Research Team at Xygeni determined that these npm packages: ‘react-ui-notify’, ‘react-tmedia’, ‘react-ui-animates’, ‘react-medias’, ‘react-mandes’ are modified derivatives of ‘bingo-logger’, itself a malicious fork that mimics the structure and documentation of the popular logging package ‘pino’ in order to appear legitimate. That cover is used to exploit developer trust and attract downloads. In reality, the codebase contains an unrelated obfuscated file that runs in Node environments. 

Threat Actor Background: The “Contagious Interview” Campaign

The Contagious Interview campaign is associated with the threat cluster known as ‘UNC4034’, which reports links to North Korean affiliated actors Lazarus Group or APT38, a well-known state-sponsored group linked to the North Korea regime. The threat actors behind this campaign have a history of targeting developers through open-source ecosystems, distributing look-alike packages that execute hidden payloads. Ultimately exfiltrating crypto-related data, source code and credentials from infected systems.

The tactics, techniques, and procedures (TTPs) observed in these npm packages follow the same pattern:

• Mimic legitimate sounding project names to appear trustworthy.
• Embed obfuscated code within test files and auxiliary scripts.
• Run hidden payloads that collect sensitive data and send it to a remote command-and-control (C2) server.

Technical findings: Obfuscated Payload Analysis

The payload found within ‘/test/fixtures/eval/node_modules/test.list’ uses obfuscated JavaScript (index/array string lookups, encoded blocks) to hide readable strings and control flow will be executed once the package is installed due to the postinstall script ‘npm run test || npm transpile || npm run skip’ within the package.json. 

Our analysis revealed that these packages contain an adaptive piece of malware built to move across operating systems (Windows, macOS, or Linux) and user environments. A capability that suggests a deliberate focus on technical users who often work across diverse environments.

Once established on a system, the malware surveys its surroundings, collecting detailed system information such as hostname, platform, home directory and system tmp dir before expanding its reach into applications that store sensitive data such as browsers (Chrome/Brave/Edge/Opera) and digital wallets. It recursively searches common locations for browser profiles, wallet files, keychains and many document/file types. Search keywords include wallet, seed-related terms and many file extensions likely to contain credentials or secrets (*.env, *.key, *.wallet, *.json, *.txt, *.doc, etc.). It contains exclusion lists for common directories to avoid obvious system files.

The payload writes a local marker/lockfile to prevent multiple concurrent runs and writes its data within OS temp directories to avoid detection.

The obfuscated payload also contains a communication channel to a remote server that functions as its command-and-control hub. Through this channel, it can exfiltrate stolen information and receive further instructions. While the infrastructure itself appears limited and purpose-built, its existence confirms the attacker’s intent to maintain persistent control over infected systems.

When the malware finds sensitive data it bundles them and attempts to upload them to a remote endpoint hosted on a cloud server using multipart/form-data so stolen files are attached to requests.

Indicators of Compromise and Mitigation Recommendations

Organizations are advised to remove these malicious dependencies (react-ui-notify, react-tmedia, react-ui-animates, react-medias, react-mandes, bingo-logger) and refresh these environments to ensure integrity. Systems that may have been exposed should have all credentials and access tokens rotated immediately.

Network administrators should restrict outbound traffic to these IP’s 23.227.202.24, 131.153.22.25 and review recent connections for anomalies. Rebuilding affected environments from verified, clean sources is strongly recommended to prevent re-infection and ensure supply chain integrity.

Broader Context

Altogether, these packages are another example of the new level of maturity in JavaScript-based supply-chain attacks, adversaries are increasingly creating look-alike packages that borrow structure and documentation from trusted projects, modular expansion and adopting better techniques to make detection and mitigation a challenge. 

This evolution increases the likelihood of accidental installation by unsuspecting developers and grants adversaries deeper access to build environments, CI/CD systems and source code repositories.

Open-source ecosystems have become a preferred distribution platform for such campaigns. By exploiting the inherent trust developers place in community packages, attackers can infiltrate the software supply chain with minimal effort and often without immediate detection or consequence.

Malware Early Warning (MEW) by Xygeni

This incident was originally identified through Xygeni’s Malware Early Warning system, which continuously monitors open-source package registries such as npm, PyPI, Maven for malicious packages.

Our detection engine automatically flagged these packages as suspicious because of their unusual structure, postinstall script and obfuscated payload. As a result, the malicious packages (react-ui-notify, react-tmedia, react-ui-animates, react-medias, and react-mandes) were confirmed to be malicious by our security team and reported to npm before they could reach wider adoption.

How Xygeni Early Warning protects your pipelines