The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 additional malicious packages since last month.
According to Socket, these packages have been downloaded more than 31,000 times and are designed to provide a variant of OtterCookie that integrates functionality from BeaverTail and previous versions of OtterCookie.
Some of the identified “loader” packages are listed below.
- bcryptjs node
- cross session
- json-oauth
- Node tailwind
- react ad parser
- session keeper
- Tailwind magic
- tailwindcss form
- webpack-loadcss
Once launched, the malware bypasses sandboxes and virtual machines, attempts to profile the machine, establishes a command-and-control (C2) channel, and provides the attacker with a remote shell, as well as the ability to steal clipboard contents, log keystrokes, capture screenshots, and collect browser credentials, documents, cryptocurrency wallet data, and seed phrases.
It is worth noting that the blurred distinction between OtterCookie and BeaverTail was documented by Cisco Talos last month in connection with an infection that affected systems associated with an organization headquartered in Sri Lanka, where users were likely tricked into running a Node.js application as part of a fake job interview process.
Further analysis reveals that these packages are designed to connect to a hard-coded Vercel URL (“tetrismic.vercel(.)app”) and then retrieve a cross-platform OtterCookie payload from a threat actor-controlled GitHub repository. The GitHub account stardev0914, which serves as a distribution vehicle, is no longer accessible.
“This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and shows how thoroughly North Korean threat actors have adapted their tools to modern JavaScript and cryptocentric development workflows,” said security researcher Kirill Boichenko.
This development occurred after a fake reputation-themed website created by a threat actor utilized ClickFix-style instructions to distribute malware called GolangGhost (also known as FlexibleFerret or WeaselStore) under the pretext of fixing camera and microphone issues. This activity is tracked under the name ClickFake Interview.
The malware, written in Go, connects to a hardcoded C2 server and enters a persistent command processing loop to collect system information, upload/download files, execute operating system commands, and collect information from Google Chrome. Persistence is achieved by creating a macOS LaunchAgent that automatically triggers execution by a shell script when a user logs in.
As part of the attack chain, a decoy application is also installed that displays a fake Chrome camera access prompt to continue the ruse. It then displays a Chrome-style password prompt and captures the content you type and sends it to your Dropbox account.
“While there is some overlap, this campaign is different from other North Korean IT worker programs that focus on integrating actors within legitimate companies under false identities,” Validin said. “In contrast, contagious interviews are designed to put individuals at risk through step-by-step hiring pipelines, malicious coding exercises, and fraudulent hiring platforms, weaponizing the job application process itself.”
