North Korea npm Malware Campaign Exploits Open Source to Attack Web3

North Korean hackers are at it again, this time using open source software to quietly sneak into the global crypto world.

Source: Decrypt

A new report from cybersecurity firm Socket reveals that over 300 malicious code packages were uploaded to npm, one of the world’s biggest JavaScript libraries used by millions of developers. The North Korea npm Malware campaign, dubbed “Contagious Interview,” targeted blockchain and Web3 developers through fake job offers and infected code.

npm as a Weapon: Understand the Attacking Technique

The hackers uploaded small code packages designed to look safe. Once developers installed them, hidden malware stole passwords, browser data, and crypto wallet keys.

Security experts say npm is like the backbone of the modern web. Hacking enables attackers to silently distribute malware to hundreds of apps and crypto projects via routine software updates, a perilous type of software supply chain attack.

The attackers also created false LinkedIn recruiter accounts to deceive developers into loading the malicious code. Socket traced the campaign to a state-sponsored North Korean group, connecting it to recognized malware families such as BeaverTail and InvisibleFerret.

North Korean Hackers Become One of the Most Active Threat

Years down the line, these state-sponsored hacker groups have emerged as among the most vibrant operators in the world of global crypto crime. Their activities have increasingly spiralled, with 2025 being a record year for crypto hacks with more than $6 billion worth of cryptocurrencies taken so far.

Since the huge February $1.4 billion ByBit hack , to July's WOO X attack that siphoned $14 million from users' accounts, and the Seedify theft of $1.2 million, their efforts have become more synchronized and effective.

The biggest individual theft of the year, $100 million, showed how their focus has expanded beyond exchanges to wealthy individuals also.

The Change in Attacking Pattern Or Just More Targets

While big crypto exchanges were once their main focus, hackers are now targeting high-networth crypto holders who often lack strong security measures.

Many theft from individuals go unreported, probably because of the absence of digital asset laws and field awareness, stating the real number could be far higher.

Over time their pattern has changed like they started with traditional firms, approached the virtual asset market, then the wealthy personnels. Their targets are still un-predicted as now we can see their influence on open sources.

Concerns Are Concerning: An Overview

These types of activities which are believed to be supported by the state can be more dangerous not only for digital space but for the real world. Here, stolen funds are believed to help finance North Korea’s nuclear weapons and missile programs, according to Western security agencies, which is not a good thing for a safe future.

Security experts urge crypto teams and users to:

• Scan code dependencies before installing

• Use hardware wallets.

• Treat every “npm install” like running code from a stranger.

The open nature of Web3 is both its strength and weakness, and hackers are exploiting that openness to the fullest. In this scenario, staying alert isn’t optional anymore, it’s essential.