A New Breed of Social Engineering Threat
A recent investigation has exposed a sophisticated cyber-espionage campaign led by the North Korean-linked group Famous Chollima (APT 37). The group is targeting job seekers-especially software developers and crypto professionals-by impersonating recruiters from well-known companies and delivering malicious payloads disguised as technical assessments.
Victims receive seemingly legitimate interview invitations on platforms like LinkedIn or Indeed. They are asked to download npm packages from GitHub as part of the evaluation. These packages contain obfuscated JavaScript that installs malware on the victim’s machine-specifically backdoors like InvisibleFerret and BeaverTail.
Why This Campaign Is So Dangerous
What makes this threat especially potent is its abuse of trust. Developers are typically accustomed to working with GitHub, npm, and command-line tools. The attackers exploit this trust by:
- Using real development workflows to hide malicious behavior
- Targeting cross-platform environments (Windows, macOS, Linux)
- Avoiding traditional detection through fileless execution and Git-based delivery
- Harvesting credentials, environment variables, and crypto wallet data
This isn’t a random phishing campaign-it’s a calculated exploitation of industry norms.
What Organizations Need to Do
For organizations hiring developers or working with remote teams, the implications are significant. COE Security recommends:
- Verifying all recruiter identities and interview workflows
- Training HR teams to spot impersonation campaigns
- Monitoring npm and GitHub activity within enterprise environments
- Restricting installation of third-party packages to trusted sources
- Performing targeted malware scans for JavaScript-based backdoors
- Implementing zero-trust onboarding for developer and contractor systems
The success of these campaigns shows that attackers are targeting individuals as entry points into larger networks. Developer laptops and cloud IDEs can serve as high-privilege targets if not properly segmented and secured.
About COE Security
At COE Security, we specialize in defending against the evolving threat landscape-especially where people and code intersect.
We help organizations in fintech, blockchain, software development, SaaS, and research sectors through:
- Developer-focused threat detection
- Recruitment workflow hardening
- Open-source supply chain monitoring
- GitHub/NPM pipeline protection
- Security awareness training for technical and non-technical staff
- Incident response readiness for social engineering intrusions
We combine behavioral intelligence with technical controls to ensure your talent pipeline doesn’t become a threat pipeline.