Silent Invasion: How North Korea Weaponized npm to Breach Web3 Projects

North Korean Hackers Exploit Open-Source Code to Target Web3 Developers, Experts Warn

A new cyber campaign from North Korea is weaponizing open-source software to infiltrate the global Web3 ecosystem, security researchers say.

A recent report by cybersecurity firm Socket has exposed a widespread malware operation that uploaded over 300 malicious packages to npm, one of the world’s largest open-source JavaScript repositories used by millions of developers. The campaign, dubbed “Contagious Interview,” is believed to be backed by a state-sponsored North Korean hacking group, targeting blockchain engineers and Web3 developers through deceptive job offers and hidden malicious code.

Open Source as a New Battlefield

npm (Node Package Manager) is a cornerstone of modern web development, providing reusable code libraries for everything from small applications to major Web3 platforms. The attack, researchers say, represents one of the most sophisticated attempts yet to compromise the software supply chain—the unseen layer of shared code that underpins thousands of online services and blockchain projects.

According to Socket’s investigation, the attackers uploaded small, seemingly harmless code packages. When unsuspecting developers installed these packages, the malware silently activated, harvesting passwords, browser cookies, and crypto wallet keys from infected devices.

“npm has become a critical part of the internet’s infrastructure,” Socket founder Feross Aboukhadijeh told ABC News. “That makes it a perfect vector for attackers. They can inject malicious updates into legitimate projects and spread the infection across the ecosystem in minutes.”

How the Attack Works

The campaign used a multi-layered deception strategy. Beyond infecting code, the hackers also created fake LinkedIn recruiter accounts, reaching out to blockchain engineers with job opportunities at fake crypto startups. Once trust was established, victims were directed to install the infected npm packages as part of supposed “technical assessments.”

The malware then deployed secondary payloads that captured credentials, gained access to private GitHub repositories, and attempted to exfiltrate data related to crypto wallet integrations. Socket linked the malware signatures to previously identified North Korean cyber families, including BeaverTail and InvisibleFerret, both associated with the regime’s notorious Lazarus Group.

The Lazarus Legacy: State-Sponsored Cyber Theft

The Lazarus Group has become a key instrument of the North Korean government’s effort to fund its sanctioned regime through digital theft. Western intelligence agencies have long accused Pyongyang of using stolen cryptocurrencies to finance its nuclear weapons and missile programs.

So far in 2025, global estimates suggest that more than $6 billion worth of cryptocurrencies have been stolen—an all-time high for the sector. Major incidents include the $1.4 billion ByBit hack in February, the $14 million WOO X breach in July, and the Seedify theft that drained $1.2 million from decentralized project funds.

These attacks highlight a clear pattern: as security improves at centralized exchanges, hackers are shifting their focus toward individual developers, smaller Web3 projects, and even wealthy private investors with inadequate protection measures.

A Shift in Strategy: Targeting the Builders

Cybersecurity analysts note that the latest npm campaign reflects a strategic evolution in North Korea’s approach. Instead of focusing solely on crypto exchanges, the attackers are now infiltrating the development layer itself—the point where blockchain systems are designed and maintained.

“This is no longer about attacking the endpoints of the financial system,” said cybersecurity analyst Emily Chang. “They’re attacking the people who build it—the coders, the innovators, the open-source community. It’s a shift from theft to long-term infiltration.”

Chang warns that these operations can implant “sleeper code” into projects that may only be activated months later when those projects go live, potentially compromising thousands of end-users at once.

The Scale of the Threat

Socket’s report reveals that at least 50 of the malicious npm packages were downloaded more than 10,000 times before removal, meaning some infected code may already be embedded in production environments.

Experts say this makes mitigation efforts complex. “The nature of open source is that code is copied, forked, and reused everywhere,” said Aboukhadijeh. “Once it’s in circulation, even removing it from npm doesn’t erase it from the internet.”

npm’s parent company, GitHub (owned by Microsoft), confirmed it has purged the infected repositories and issued warnings to users who downloaded them. GitHub’s security team stated that it’s “working closely with Socket and other partners to track further related activity and strengthen detection systems.”

The Open-Source Dilemma

While open source has revolutionized global software development, it also comes with inherent risks. Anyone can publish packages, and there is limited centralized review. This openness, once celebrated as the foundation of innovation, is now being weaponized by nation-state actors.

“Web3’s strength is its decentralization—but that’s also its Achilles’ heel,” said Mark Robinson, CTO of a U.S.-based blockchain security firm. “When everything is public, anyone—including hostile governments—can contribute or inject code.”

Industry leaders are now urging developers to verify dependencies before installation, use hardware wallets for digital assets, and treat every npm install like running unknown code from a stranger.

Robinson adds, “You wouldn’t open an email attachment from someone you don’t know. The same principle should apply to open-source software.”

Geopolitical Implications

The implications extend beyond cybersecurity. Western intelligence agencies, including the U.S. Department of Treasury and South Korea’s National Intelligence Service, have previously traced billions in stolen crypto back to North Korea’s weapons program.

By exploiting the open-source ecosystem, Pyongyang not only circumvents sanctions but also undermines confidence in digital financial infrastructure globally. Analysts warn that unchecked, such operations could erode trust in decentralized systems just as they’re becoming integral to mainstream finance.

“This is not just about crypto theft,” said international security researcher Dr. Aaron Feldman. “This is a digital extension of state conflict. It’s espionage through code.”

Protecting Web3’s Future

The Socket report has renewed calls for international cooperation to secure open-source supply chains. Industry groups are pushing for real-time package vetting, automated dependency scans, and government-supported threat intelligence sharing.

Some have suggested creating a “Trusted Developer Registry”, a verified global directory that would certify individuals and organizations contributing to critical open-source projects. However, such proposals raise concerns about privacy, centralization, and bureaucracy—values often at odds with the open-source ethos.

Despite these challenges, experts agree that the Web3 industry must adapt quickly. “We can’t keep building the future of finance on trust alone,” said Aboukhadijeh. “Security must become part of the culture, not an afterthought.”

A Wake-Up Call for Developers Everywhere

The “Contagious Interview” campaign serves as a sobering reminder that the tools powering the decentralized revolution are not immune to old-fashioned deception. As North Korea refines its cyber operations, even small pieces of open-source code can become the entry point for multimillion-dollar heists and geopolitical tension.

For developers, the message is clear: vigilance is no longer optional—it’s essential.

Writer @Ellena

Erlin is an experienced crypto writer who loves to explore the intersection of blockchain technology and financial markets. She regularly provides insights into the latest trends and innovations in the digital currency space.

 

 Check out other news and articles on Google News

Disclaimer:

The articles published on hokanews are intended to provide up-to-date information on various topics, including cryptocurrency and technology news. The content on our site is not intended as an invitation to buy, sell, or invest in any assets. We encourage readers to conduct their own research and evaluation before making any investment or financial decisions.

hokanews is not responsible for any losses or damages that may arise from the use of information provided on this site. Investment decisions should be based on thorough research and advice from qualified financial advisors. Information on HokaNews may change without notice, and we do not guarantee the accuracy or completeness of the content published.