Full Report
The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month. According to Socket, these packages have been downloaded over 31,000 times, and are designed to deliver a variant of OtterCookie that brings together the features of BeaverTail and prior versions of OtterCookie. Some of the
Analysis Summary
# Threat Actor: North Korean Threat Actors (Contagious Interview Campaign)
## Attribution & Identity
* **Attribution:** North Korean threat actors.
* **Known Aliases/Associations:** Associated with the "Contagious Interview" campaign. Also linked tangentially to activities involving GolangGhost (FlexibleFerret/WeaselStore) under the moniker ClickFake Interview, although this specific activity is noted as distinct from DPRK IT Worker schemes focused on embedding actors.
## Activity Summary
The actors are aggressively continuing the **Contagious Interview** campaign, which weaponizes the job application/recruiting process. Recently, they flooded the npm registry with **197 new malicious packages** since the previous month, resulting in over **31,000 downloads**. These packages are designed to deliver an updated variant of the **OtterCookie** malware, which incorporates features from **BeaverTail**.
A known historical instance detailed an infection impacting a system associated with an organization headquartered in **Sri Lanka**, where a user was tricked into running a Node.js application during a fake job interview process.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise (Software Repository):** Uploading malicious packages to public repositories (specifically npm).
* **Payload Delivery:** Packages serve as "loaders" designed to fetch the primary OtterCookie payload.
* **C2 Communication:** Establishing a Command-and-Control (C2) channel to grant a remote shell.
* **Anti-Analysis:** Attempts to evade sandboxes and virtual machines upon launch.
* **System Profiling:** Gathering initial system environment details.
* **Data Exfiltration/Espionage:** Stealing clipboard contents, logging keystrokes, capturing screenshots, and harvesting browser credentials, documents, and cryptocurrency wallet data/seed phrases.
* **Code Merging/Evolution:** Creating new malware variants that combine features from existing tools (OtterCookie + BeaverTail).
## Targeting
* **Sectors:** Generally targeting individuals involved in development workflows susceptible to supply chain attacks, particularly those involved in JavaScript/Node.js development workflows, and potentially organizations using software development roles (suggested by the Sri Lanka incident).
* **Geography:** Undetermined specific geography for the latest npm campaign, but historically linked to an infection in **Sri Lanka**.
* **Victims:** Individuals deceived into running malicious code through fake job interview/coding assessment pipelines.
## Tools & Infrastructure
* **Malware Families used:** Updated variant of **OtterCookie** (blended with BeaverTail features).
* **Infrastructure (C2, domains, IPs):**
* **Loader URL:** A hard-coded Vercel URL: `tetrismic[.]vercel[.]app`
* **Payload Hosting:** A threat actor-controlled GitHub repository, previously associated with the user `stardev0914` (now inaccessible).
* **Specific npm Loader Packages (Examples):** `bcryptjs-node`, `cross-sessions`, `json-oauth`, `node-tailwind`, `react-adparser`, `session-keeper`, `tailwindcss-forms`, `webpack-loadcss`.
## Implications
This campaign represents one of the most prolific uses of the npm registry for malicious deployment, demonstrating the actor group's thorough adaptation to modern JavaScript and crypto-centric development environments. The sustained tempo indicates a persistent, industrial approach to exploiting the developer ecosystem for espionage or financial gain.
## Mitigations
* Implement strict vetting processes for all third-party package dependencies, especially in CI/CD pipelines or local development environments.
* Monitor network egress for connections to known or suspicious short-lived cloud hosting services (like Vercel) associated with dependencies.
* Educate developers on the risks associated with supply chain attacks specifically targeting developer tooling and job recruitment lures.
* Perform deep analysis of package behavior, not just package metadata, before installation.