A North Korean threat group linked to the Contagious Interview activity has continued its aggressive malware distribution by uploading 197 additional malicious packages to the npm registry since last month.
Researchers at Socket confirmed that these packages have been downloaded more than 31000 times. Each of them is designed to install a modified version of OtterCookie that merges functions from BeaverTail and earlier OtterCookie variants.
Some of the identified loader packages include:
bcryptjs-node
cross-sessions
json-oauth
node-tailwind
react-adparser
session-keeper
tailwind-magic
tailwindcss-forms
webpack-loadcss
Once executed, the malware attempts to avoid detection inside sandboxes or virtual machines, collects system information, and creates a command and control (C2) communication link. Through this link, attackers can obtain a remote shell and perform several actions such as stealing clipboard content, logging keystrokes, taking screenshots, extracting browser credentials, collecting documents, and harvesting cryptocurrency wallet data and seed phrases.
Researchers note that the line separating OtterCookie and BeaverTail has become increasingly unclear. Cisco Talos documented this blending of features last month after an infection involving a Sri Lanka based organization whose user was likely tricked into running a malicious Node.js application during a fake job interview.
Further investigation shows that the malicious npm packages attempt to connect to a hard coded Vercel link, tetrismic.vercel[.]app. This link delivers the cross platform OtterCookie payload, which is stored in a GitHub repository controlled by the threat actors. The GitHub account used for delivery, stardev0914, has since been taken down.
According to security researcher Kirill Boychenko, this continuous activity makes Contagious Interview one of the most active malware campaigns abusing the npm ecosystem. He added that the North Korean actors have clearly adapted their attack tools to modern JavaScript development and cryptocurrency related workflows.
The threat actors have also begun using fake assessment and skills test websites that deliver another malware family called GolangGhost, also known as FlexibleFerret or WeaselStore. These websites use ClickFix style instructions to deceive victims into downloading malware under the pretext of fixing microphone or camera problems. This activity is being tracked as ClickFake Interview.
GolangGhost is written in Go and communicates with a fixed C2 server. After installation, it enters a loop to process commands that allow file uploads, downloads, system command execution, system information collection, and the harvesting of data from Google Chrome. Persistence is maintained by creating a macOS LaunchAgent that triggers its execution through a shell script whenever the user logs in.
The attack sequence also installs a decoy application that displays a fake Chrome camera access request. Afterward, the victim is shown a browser style password prompt. Any data typed into this prompt is collected and sent to a Dropbox account controlled by the attackers.
A researcher identified as Validin stated that this campaign is separate from other North Korean IT worker operations that focus on infiltrating legitimate businesses under false identities. Instead, Contagious Interview is specifically designed to compromise individuals through fraudulent recruitment channels, staged interviews, malicious coding tasks, and fake hiring platforms. The attackers are turning the job application process itself into a weapon.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
