A significant safety risk has emerged focusing on software program builders worldwide. North Korean state-sponsored risk actors, working underneath the “Contagious Interview” marketing campaign, are systematically spreading malicious packages throughout npm, GitHub, and Vercel infrastructure to ship OtterCookie malware.
This subtle multi-stage operation demonstrates how risk actors have tailored their instruments to focus on trendy JavaScript and Web3 growth workflows.
Since October 10, 2025, researchers have uncovered a minimum of 197 new malicious npm packages designed to trick builders into putting in compromised code, with over 31,000 further downloads recorded throughout this wave alone.
The assault chain works by a rigorously coordinated provide chain method. Risk actors create faux developer portfolios on GitHub, publish typosquatted packages on npm that impersonate official libraries, and use Vercel internet hosting to stage the malware payloads.
When builders unknowingly set up these malicious packages, a postinstall script routinely executes and reaches out to attacker-controlled endpoints to fetch and run the most recent OtterCookie variant.
This seamless integration into customary growth workflows makes the assault significantly harmful, because it bypasses conventional safety consciousness since builders anticipate npm packages to execute code throughout set up.
Socket.dev safety analysts famous and recognized that the infrastructure behind this marketing campaign reveals a well-orchestrated operation.
The researchers traced malicious packages like “tailwind-magic,” which impersonates the official “tailwind-merge” library, to a risk actor-controlled GitHub account named “stardev0914” and a Vercel staging endpoint known as “tetrismic.vercel.app.”
Contagious Interview assault chain (Supply – Socket.dev)
This account contained a minimum of 18 repositories designed to function each supply automobiles and convincing lures, with repositories themed round cryptocurrency initiatives together with faux DEX front-ends and token websites.
Not less than 5 core malicious packages, together with “node-tailwind,” “tailwind-node,” and “react-modal-select,” route by this infrastructure.
The malware structure itself displays subtle growth. OtterCookie operates as a mixed infostealer and distant entry trojan with cross-platform capabilities spanning Home windows, macOS, and Linux.
As soon as executed inside a Node.js course of, the malware performs preliminary surroundings checks to detect digital machines and sandboxes, fingerprints the contaminated host, after which establishes bidirectional communication with command and management servers.
This detection-evasion method ensures the malware solely absolutely prompts on official developer machines slightly than analyst environments the place safety researchers usually function.
An infection and Persistence Mechanisms
The an infection mechanism demonstrates meticulous engineering. The malicious npm packages use a postinstall script that executes when builders run npm set up.
This script calls the risk actor endpoint at utilizing axios, which returns JavaScript code embedded in a JSON subject named “mannequin.”
Annotated GitHub view of the risk actor-controlled account stardev0914 (Supply – Socket.dev)
The package deal then extracts this subject and executes it with eval contained in the sufferer’s Node.js course of, granting the attackers full Node.js privileges and permitting arbitrary code execution.
The staging server constantly updates its major.js payload, enabling risk actors to rotate malware variants throughout a number of packages and customise responses per goal.
As soon as deployed, OtterCookie establishes persistence by a number of mechanisms. On Home windows programs, the malware creates scheduled duties named “NodeUpdate” that run at logon with highest privileges, and provides registry entries underneath HKCURunNodeHelper.
The precise payload spawns three asynchronous employee processes utilizing child_process.spawn, every operating as a indifferent Node.js course of with stdio redirected to disregard and the windowsHide flag set true.
These processes then unref themselves, permitting them to proceed operating within the background after the preliminary loader exits.
KXCO-branded DEX entrance finish hosted at knightsbridge-dex[.]vercel[.]app (Supply – Socket.dev)
The malware concurrently performs system-wide keylogging utilizing the GlobalKeyboardListener module, captures screenshots from all related displays each 5 seconds, exfiltrates clipboard contents, and recursively scans the filesystem for information matching patterns like “.env,” “metamask,” “phantom,” and “seed” to reap cryptocurrency pockets information and credentials.
The great information harvesting capabilities lengthen to browser profiles. The malware particularly targets Chrome and Courageous browsers on all three working programs, accessing saved login credentials by querying the “Login Knowledge” SQLite database present in every browser’s profile listing.
Moreover, it identifies and extracts information from a minimum of 42 totally different cryptocurrency pockets browser extensions, together with MetaMask, Phantom, Keplr, and dozens of others generally utilized by Web3 builders.
All collected information flows by the command and management infrastructure at IP handle 144.172.104.117, which handles each information assortment and tasking, permitting risk actors to difficulty distant instructions and preserve persistent interactive shell entry.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
