Cybersecurity experts have uncovered a sophisticated campaign led by the Chollima APT group, targeting job seekers and hiring organizations. The attackers are exploiting software supply chains, particularly npm packages and GitHub repositories, to distribute JavaScript-based malware disguised as legitimate tools.
The campaign uses seemingly harmless npm packages like helmet validate or sass notification. Once installed, the payload silently downloads secondary scripts such as BeaverTail. This conducts system reconnaissance and then drops InvisibleFerret, a powerful backdoor. This malware enables credential theft, crypto wallet scraping, and remote access across Windows, macOS, and Linux environments.
Fake job offers, interview requests, and developer tools are used as social engineering lures. In several cases, attackers impersonate IT professionals or pose as fake cryptocurrency firms to build trust and convince victims to download malicious content shared during job processes.
Why This Matters
-
Developers and job applicants can unknowingly compromise enterprise environments through supply chain infection
-
The malware is cross platform and specifically targets widely used crypto wallet browser extensions
-
Threat actors are using AI generated resumes, job listings, and fake websites to improve their success rate
-
Open source dependencies are increasingly becoming high risk points of infiltration for corporate systems
How COE Security Can Help
COE Security supports organizations in financial services, healthcare, retail, manufacturing, and government to protect against advanced persistent threats and social engineering campaigns like this:
-
AI enhanced threat detection to uncover malicious npm packages and suspicious repository behavior
-
Penetration testing targeting developer environments, open source integrations, and HR recruitment workflows
-
Secure Software Development Consulting (SSDLC) to enforce strict dependency checks and minimize supply chain risk
-
Real time monitoring and incident response to detect compromise via tools like GitHub and npm
-
Customized training for developers, HR teams, and IT staff to identify and neutralize social engineering tactics
Conclusion
The Chollima campaign is a stark reminder that even job hunting and open source development can become high stakes attack vectors. As attackers adopt more deceptive tactics and AI enhanced strategies, organizations must elevate their defense by combining secure development practices, social engineering awareness, and continuous monitoring of third party tools.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI powered systems and ensure compliance. Our offerings include:
-
AI enhanced threat detection and real time monitoring
-
Data governance aligned with GDPR, HIPAA, and PCI DSS
-
Secure model validation to guard against adversarial attacks
-
Customized training to embed AI security best practices
-
Penetration Testing (Mobile, Web, AI, Product, IoT, Network and Cloud)
-
Secure Software Development Consulting (SSDLC)
-
Customized CyberSecurity Services
We help clients defend against supply chain attacks and social engineering by monitoring developer platforms, hardening recruitment pipelines, and building security first coding environments.
Follow COE Security on LinkedIn to stay informed and cyber safe.