Nov 28, 2025Ravie LakshmananSupply Chain Assault / Malware
The North Korean risk actors behind the Contagious Interview marketing campaign have continued to flood the npm registry with 197 extra malicious packages since final month.
In line with Socket, these packages have been downloaded over 31,000 occasions, and are designed to ship a variant of OtterCookie that brings collectively the options of BeaverTail and prior variations of OtterCookie.
A number of the recognized “loader” packages are listed beneath –
bcryptjs-node
cross-sessions
json-oauth
node-tailwind
react-adparser
session-keeper
tailwind-magic
tailwindcss-forms
webpack-loadcss
The malware, as soon as launched, makes an attempt to evade sandboxes and digital machines, profiles the machine, after which establishes a command-and-control (C2) channel to supply the attackers with a distant shell, together with capabilities to steal clipboard contents, log keystrokes, seize screenshots, and collect browser credentials, paperwork, cryptocurrency pockets knowledge, and seed phrases.
It is value noting that the blurring distinction between OtterCookie and BeaverTail was documented by Cisco Talos final month in reference to an an infection that impacted a system related to a company headquartered in Sri Lanka after a person was probably deceived into working a Node.js utility as a part of a faux job interview course of.
Additional evaluation has decided that the packages are designed to connect with a hard-coded Vercel URL (“tetrismic.vercel[.]app”), which then proceeds to fetch the cross-platform OtterCookie payload from a risk actor-controlled GitHub repository. The GitHub account that serves because the supply automobile, stardev0914, is now not accessible.
“This sustained tempo makes Contagious Interview one of the crucial prolific campaigns exploiting npm, and it exhibits how totally North Korean risk actors have tailored their tooling to trendy JavaScript and crypto-centric growth workflows,” safety researcher Kirill Boychenko stated.
The event comes as faux assessment-themed web sites created by the risk actors have leveraged ClickFix-style directions to ship malware known as GolangGhost (aka FlexibleFerret or WeaselStore) beneath the pretext of fixing digicam or microphone points. The exercise is tracked beneath the moniker ClickFake Interview.
Written in Go, the malware contacts a hard-coded C2 server and enters right into a persistent command-processing loop to gather system data, add/obtain information, run working system instructions, and harvest data from Google Chrome. Persistence is achieved by writing a macOS LaunchAgent that triggers its execution by way of a shell script robotically upon person login.
Additionally put in as a part of the assault chain is a decoy utility that shows a bogus Chrome digicam entry immediate to maintain up the ruse. Subsequently, it presents a Chrome-style password immediate that captures the content material entered by the person and sends it to a Dropbox account.
“Though there’s some overlap, this marketing campaign is distinct from different DPRK IT Employee schemes that target embedding actors inside reputable companies beneath false identities,” Validin stated. “Contagious Interview, in contrast, is designed to compromise people by means of staged recruiting pipelines, malicious coding workout routines, and fraudulent hiring platforms, weaponizing the job utility course of itself.”
