North Korean 'Contagious Interview' Campaign Expands with Malicious npm Packages and OtterCookie Malware
North Korea-linked threat actors have significantly expanded the 'Contagious Interview' campaign, targeting software developers in the crypto and Web3 sectors by uploading 197 new malicious npm packages designed to distribute an updated version of the OtterCookie infostealer. These actors, posing as recruiters on platforms like LinkedIn, use sophisticated social engineering tactics such as fake job interviews and trojanized demo projects to lure victims on Windows, Linux, and macOS. The campaign leverages a full delivery infrastructure, including a threat actor–controlled GitHub account and Vercel-hosted staging sites, to store and deliver malware, with command and control servers used for data theft and remote tasking. The campaign's payloads include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT, and the malicious npm packages have been downloaded over 31,000 times, highlighting the scale and persistence of the operation.
Technical analysis reveals that the attackers have built a robust malware delivery system, using their GitHub account to host repositories and fetch the latest payloads from Vercel, while maintaining separate C2 infrastructure for exfiltration and tasking. At least five npm packages, including 'tailwind-magic' and its variants, have been directly linked to this campaign. The operation demonstrates the increasing sophistication of North Korean supply chain attacks, with a focus on compromising developers in high-value sectors through open-source ecosystems. Security researchers continue to monitor the evolving tactics and infrastructure associated with this campaign, warning organizations and developers to exercise heightened vigilance when interacting with unsolicited job offers and npm packages.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Contagious Interview expands to PyPI, Go, Rust, and PHP package ecosystems
Researchers reported more than a dozen new malicious packages tied to Contagious Interview across npm, PyPI, Go Modules, crates.io, and Packagist, showing the campaign had broadened beyond npm into multiple open-source ecosystems. The report said the operation had used over 1,700 illicit packages since emerging in January 2025 and continued delivering infostealer and RAT malware to developers.
Campaign adopts new delivery methods including VSCode Tasks and JSON services
Subsequent analysis showed the operation evolving further by abusing Microsoft VSCode Tasks and using JSON storage services to host or deliver malware payloads, indicating continued adaptation after earlier exposure.
GitHub account linked to campaign is deactivated
A key GitHub account associated with the operation, identified as stardev0914, was removed by GitHub, though researchers said the threat actors quickly resumed activity using new accounts.
OtterCookie variant and expanded capabilities are disclosed
Reporting revealed a new OtterCookie malware variant with infostealing and remote access features including credential theft, keylogging, clipboard monitoring, browser and wallet data theft, and sandbox evasion.
Socket uncovers full-stack delivery via npm, GitHub, and Vercel
Researchers at Socket reported that the attackers were using a full-stack software supply-chain model, combining npm for distribution, GitHub for code hosting, and Vercel for staging and delivery of malware-laced projects.
Researchers identify 197+ malicious npm packages in Contagious Interview
Late-November reporting said the campaign had expanded to 197 to 200 malicious npm packages, with more than 31,000 downloads, distributing updated OtterCookie malware and BeaverTail components across Windows, Linux, and macOS.
Malicious npm package wave starts in Contagious Interview campaign
By October 10, 2025, attackers had begun a sustained wave of malicious npm uploads tied to Contagious Interview, using typosquatted and trojanized packages to infect developer environments.
Contagious Interview campaign begins targeting developers
North Korea-linked threat actors began the Contagious Interview operation in November 2023, using fake recruiter outreach and job interview lures to target software developers, especially in crypto and Web3.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Tracking an OtterCookie Infostealer Campaign Across npm - Panther | The Security Monitoring Platform for the Cloud
panther.com
Open sourceContagious Interview campaign expands further | brief | SC Media
scworld.com
Open sourceDPRK's 'Contagious Interview' Spawns Malicious Npm Package Factory
darkreading.com
Open sourceIllicit npm packages deploy new OtterCookie malware variant
scworld.com
Open sourceContagious Interview campaign expands with 197 npm Ppackages spreading new OtterCookie malware
securityaffairs.com
Open sourceSECURITY AFFAIRS MALWARE NEWSLETTER ROUND 73
securityaffairs.com
Open sourceLatest Contagious Interview malware campaign abuses Microsoft VSCode Tasks
opensourcemalware.com
Open source🎓️ Vulnerable U | #144
vulnu.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean 'Contagious Interview' Campaign Floods npm Registry with Malicious Packages Targeting Crypto Developers
North Korean state-sponsored threat actors have significantly escalated their 'Contagious Interview' campaign by flooding the npm registry with over 338 malicious packages designed to steal cryptocurrency and sensitive credentials. The operation leverages a repeatable playbook, with threat actors creating more than 180 fake personas and using new npm aliases and registration emails to distribute the malware. These malicious packages have collectively been downloaded over 50,000 times, indicating a substantial reach and potential impact on the developer community. The attackers primarily target Web3, cryptocurrency, and blockchain developers, as well as technical job seekers, often approaching them on LinkedIn under the guise of recruiters or hiring managers. The campaign follows a multi-stage attack chain, beginning with reconnaissance on social media, followed by weaponization through the publication of typosquatted npm packages. Delivery occurs via recruiter lures, leading to exploitation through malware loaders that execute in memory. The malware tooling has evolved, with initial stages using direct BeaverTail droppers, and more recent waves employing HexEval, XORIndex, and encrypted loaders that reconstruct BeaverTail in memory. Once executed, these loaders typically fetch the InvisibleFerret backdoor, which establishes persistence and enables further malicious actions. The attackers use over a dozen command and control endpoints to manage the compromised systems. The campaign is iterative, with new malicious packages appearing weekly and loader code being regularly tweaked to evade detection. The npm security team has been notified, and takedown requests have been submitted, but as of the latest reports, 25 malicious packages remain live on the registry. The operation has resulted in multi-stage compromises, including the theft of wallet keys and sensitive credentials, leading to financial losses for victims. The attackers' use of social engineering, technical obfuscation, and rapid distribution across new aliases demonstrates a high level of sophistication and adaptability. The campaign has been mapped to the Lockheed Martin Cyber Kill Chain, illustrating its comprehensive approach from reconnaissance to actions on objectives. Security researchers emphasize the need for heightened vigilance among developers, especially those in the cryptocurrency and blockchain sectors, and recommend immediate review of npm dependencies and enhanced monitoring for suspicious package activity. The ongoing nature of the campaign and the attackers' ability to quickly adapt their tactics pose a persistent threat to the software supply chain. Organizations are urged to implement robust security controls, educate staff about social engineering risks, and coordinate with npm and security vendors to mitigate exposure. The incident highlights the growing risk of supply chain attacks via open-source ecosystems and the need for industry-wide collaboration to address such threats.
Apr 11, 2026
North Korean Fake Job Campaigns Targeting Developers via npm and Recruiting Platforms
North Korean state-sponsored threat actors have intensified their cyber-espionage operations by targeting job seekers in the AI, cryptocurrency, and Web3 development sectors. Security researchers have uncovered a sophisticated campaign in which operatives create fake job platforms that closely mimic legitimate recruiting services, such as Lever, to lure candidates into running malicious software under the guise of interview processes or test assignments. This approach exploits the trust and secrecy inherent in job searches, making victims less likely to report suspicious activity, and is believed to be a significant source of funding for North Korea's weapons programs. In parallel, the "Contagious Interview" operation has been systematically infiltrating the npm ecosystem, with at least 197 malicious packages and over 31,000 downloads targeting blockchain and JavaScript developers. The campaign leverages a complex infrastructure involving GitHub repositories, Vercel-hosted payloads, and command-and-control servers to deliver malware through seemingly innocuous npm packages. These operations demonstrate North Korea's adaptive and persistent threat capabilities, using modern software development workflows and social engineering to gain long-term access to sensitive systems in the tech industry.
Mar 21, 2026
North Korean Famous Chollima APT Deploys OtterCookie and BeaverTail Malware via Trojanized Node.js Apps for Cryptocurrency Theft
The North Korean state-sponsored hacking group known as Famous Chollima has been identified as orchestrating a sophisticated cyber campaign targeting individuals and organizations with the goal of stealing cryptocurrency and sensitive credentials. Security researchers have observed that the group is leveraging trojanized Node.js applications, such as fake versions of legitimate apps like Chessfi, to deliver malicious payloads. Victims are lured through job scam tactics, where they are enticed to install what appears to be a legitimate application, but which actually contains hidden malware. The infection process involves the user executing an 'npm install' command, which surreptitiously downloads a malicious package named 'node-nvm-ssh.' This package is engineered to execute a series of obfuscated commands, ultimately deploying the OtterCookie and BeaverTail malware families onto the victim's system. Recent analysis by Cisco Talos has revealed that the functionalities of BeaverTail and OtterCookie are being merged, indicating a strategic move by the attackers to streamline and enhance their toolset for future campaigns. The evolution of the OtterCookie malware has been particularly notable, with successive versions adding increasingly invasive capabilities. Early versions focused on stealing browser profiles, while later iterations introduced clipboard theft, file exfiltration from all mounted drives, and, most recently, advanced surveillance features. The latest version, designated V5, incorporates a keylogger to capture every keystroke and a screenshotting module that takes images of the victim's desktop every four seconds, with all collected data exfiltrated to the attackers' command and control infrastructure. The campaign has been observed targeting high-value individuals and organizations, with at least one confirmed infection at a Sri Lanka-based organization. The attackers' use of legitimate-looking applications and sophisticated evasion techniques makes detection and prevention challenging. The campaign's primary objective appears to be the theft of cryptocurrency and sensitive user credentials, which are highly valuable on underground markets. Security experts warn that the merging of malware capabilities and the use of evolving infection vectors signal an ongoing and escalating threat from the Famous Chollima group. Organizations are advised to implement robust endpoint protection, monitor for suspicious npm package installations, and educate users about the risks of unsolicited job offers and software downloads. The campaign underscores the persistent and adaptive nature of North Korean cyber operations, particularly in their pursuit of financial gain through cybercrime.
Mar 21, 2026