Malicious package: JP-Soccer-MVP (npm) — Contagious Interview / Lazarus Group

[eaillaud]

Source

• https://github.com/Nodakara-Workspace/JP-Soccer-MVP

Package

• Name: JP-Soccer-MVP
• Registry: npm

Attack summary

The package contains a weaponized prepare lifecycle hook that executes
automatically on npm install.

Attack chain:

1. prepare hook → node server/server.js
2. POSTs entire process.env to: https://ip-check-notification-rkb.vercel.app/api
3. RCE via new Function(response.data)(require)
4. C2 agent polls 104.192.42.117:3000 every 5s for arbitrary JS to execute

IOCs

• C2 server: 104.192.42.117:3000
• Exfil endpoint: https://ip-check-notification-rkb.vercel.app/api
• C2 paths: POST /api/handleErrors, POST /api/reportErrors
• Agent ID (assigned to my machine): 958d1766-ab12-40d0-a286-93c05e146ca4

Delivery vector

Fake LinkedIn job interview — attacker asks candidate to clone and run - https://www.linkedin.com/in/danjel-cela-3a6958127/
the package during a screen-share session ("Contagious Interview" campaign).

Attribution

Lazarus Group / DPRK — matches known Contagious Interview TTPs.

[du1k3]

There are a few more similar repositories:
DarnellLex/jp-soccer-v1
DarnellLex/Jp-Soccer
Architecture-tech-lab/Jp-Soccer

Then there is this one with simmilar attack vector, not related to jp-soccer but provided by one of organisations
DarnellLex/bet-poker

And one infected victim repo
copeau/JP-soccer

[du1k3]

Commands are delivered as array. Primary targets:

• Password manager databases (KeePass .kdbx)
• Cryptocurrency wallets (MetaMask, hardhat, truffle keywords)
• Browser saved passwords
• SSH keys and shell history

Here is update on attack chain endpoints, based on captured pcap file:

Exfiltration endpoint
POST /upload
POST /uploadsecond

Storage path
BK1/<index>-<hostname>/files/<timestamp>/