What happened
A North Korean group is using public JSON storage services to host and deliver malware. They approach developers with fake job offers and send demo projects that hide Base64 strings pointing to payloads stored on sites like JSON Keeper, JSONsilo, and npoint.io. The payload drops a Javascript malware named BeaverTail, which installs a Python backdoor called InvisibleFerret and can fetch extra tools.
Who is affected
Software developers and teams that review external code are most at risk. Any company that relies on code repositories, developer assessments, or third party contributions could be exposed because the delivery path looks normal and may pass basic checks.
Why CISOs should care
The attack blends into common developer workflows, which makes it hard to detect. It uses trusted services, which can bypass filters. A single compromised developer account could lead to wider access, data loss, or code tampering inside the business.
3 practical actions
- Review how your teams handle external code and require sandboxing for demo projects and assessments.
- Track and restrict requests to unfamiliar public JSON services across developer machines and build systems.
- Update detection rules for BeaverTail, InvisibleFerret, and related activity such as unexpected Python backdoor installs.