North Korea-linked actors behind Contagious Interview uploaded 197 new malicious npm packages to distribute a new OtterCookie malware version.
North Korea-linked threat actors added 197 new malicious npm packages to spread updated OtterCookie malware as part of the ongoing Contagious Interview campaign, cybersecurity firm Socket warns.
The Contagious Interview campaign, active since November 2023 and linked to North Korea, targets software developers on Windows, Linux, and macOS. The attackers focus on developers working in crypto and Web3.
Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. Their payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.
The Contagious Interview campaign keeps expanding in the npm ecosystem, with nation-state actors adding 197 more malicious packages and over 31,000 downloads.
“Since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads, with state-sponsored threat actors targeting blockchain and Web3 developers through fake job interviews and “test assignments”.” reads the report published by Socket.
Investigating the malicious npm package tailwind-magic the researchers uncovered a Vercel-hosted staging site (tetrismic[.]vercel[.]app) that led them to a threat actor–controlled GitHub account, stardev0914. The account was containing 18 repositories.
North Korean operators built a full delivery system using their stardev0914 GitHub account. They store malware on GitHub, fetch the latest payload from Vercel, and use a separate C2 server for data theft and tasking. At least five npm packages (tailwind-magic, tailwind-node, node-tailwind, node-tailwind-magic, and react-modal-select) use this setup to drop a second-stage payload. When victims install these packages, the code pulls an OtterCookie variant that checks for VMs, fingerprints the device, and opens a long-term C2 link. It gives attackers a remote shell, keylogging, clipboard theft, screenshots, and credential and wallet harvesting across major OSes. Several GitHub repos act as lures, including fake crypto projects and a typosquatted Tailwind library. Although GitHub removed the stardev0914 account, the campaign continues to evolve, with new malicious npm packages appearing every week.
The malicious npm package tailwind-magic is a typosquatted, backdoored clone of tailwind-merge. While it works like a normal Tailwind utility, its postinstall script contacts a threat-actor server on Vercel and evals the returned code, giving attackers full remote code execution in the victim’s Node.js environment.
The attackers run a staging server (built on GitHub and deployed on Vercel) that returns a JavaScript payload on request. The npm package fetches this payload and executes it, activating the infection. Their infrastructure is split across GitHub (development), Vercel (payload delivery), and a separate C2 server (tasking and data collection), allowing them to rotate payloads, customize attacks, and keep C2 activity low until the second-stage malware launches.
The OtterCookie payload works as an all-in-one infostealer and remote access tool. It first checks whether the victim uses a VM or sandbox and fingerprints the system. If it decides the host is real, it contacts the C2 server, registers the machine, and waits for tasks. Then it launches three modules in parallel. One module steals clipboard data every few seconds, gives attackers an interactive remote shell, and adds persistence on Windows. Another module collects Chrome and Brave credentials and extracts data from dozens of crypto-wallet extensions. The third module logs keystrokes, captures screenshots from all monitors, scans the entire filesystem for secrets, wallets, and sensitive documents, and uploads everything to the C2 server. All traffic flows to the same IP, allowing attackers to drain digital assets and loot high-value data from developer systems.
Contagious Interview operators use crypto-themed GitHub repositories as lures to deliver malware through malicious npm packages. A cloned Knightsbridge DEX site (“dexproject”) embeds the backdoored node-tailwind package, which loads and runs attacker-controlled code during dependency installation. The tailwind-magic repo similarly supports a typosquatted npm package that impersonates tailwind-merge and fetches remote JavaScript from tetrismic[.]vercel[.]app, turning it into a loader for OtterCookie malware. Other repos act as decoy crypto projects to entice developers into installing the compromised packages during fake job assignments.
“This wave reinforces Contagious Interview as a systematic, factory-style operation that treats npm, GitHub, and Vercel as a combined, renewable initial access channel. In this latest cluster, we observed a full stack: multiple loader packages, a Vercel-hosted stager, and a threat actor-controlled GitHub account serving OtterCookie malware.” concludes the report.
In mid-November, North Korea-linked actors behind the Contagious Interview campaign have updated their tactics, using JSON storage services (e.g. JSON Keeper, JSONsilo, and npoint.io) to host and deliver malware through trojanized code projects, according to a new NVISO report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Contagious Interview)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html