- North Korean Hackers have released 197 malicious packages on the npm registry since last month.
- These packages spread a variant of OtterCookie Malware that can steal sensitive data and provide remote control of infected machines.
- The malware avoids detection by Sandbox systems and targets browser credentials, cryptocurrency wallets, and system information.
- The attack uses fake job recruitment tactics and staged coding tasks to lure victims.
- A separate campaign delivers GolangGhost malware through fraudulent camera or microphone fix websites and fake Chrome prompts.
North Korean threat actors behind the Contagious Interview campaign have deployed 197 new malicious packages on the npm registry since last month. These packages have been downloaded over 31,000 times and deliver a malware variant called OtterCookie, combining features from BeaverTail and earlier OtterCookie versions, according to Korea-contagious-interview-npm-attacks” target=”_blank” rel=”noopener”>Socket.
Some of the identified malicious “loader” packages include bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. The malware evades sandbox and virtual machine detection, profiles the infected system, and establishes a command-and-control (C2) channel. This channel grants attackers remote shell access and capabilities to steal clipboard contents, log keystrokes, capture screenshots, and collect browser credentials, documents, cryptocurrency wallet data, and seed phrases.
Earlier reports by Cisco Talos noted the convergence of OtterCookie and BeaverTail features after an infection that affected a system linked to an organization in Sri Lanka. The infection appeared to result from a user running a Node.js application during a fake job interview process.
Analysis shows the malware connects to a hard-coded Vercel URL (“tetrismic.vercel[.]app”), which fetches the OtterCookie payload from a GitHub repository controlled by the threat actors. The related GitHub account, stardev0914, has since been disabled. Security researcher Kirill Boychenko commented on the campaign’s intensity, noting how North Korean hackers have tailored their tools to modern JavaScript and crypto development environments.
Separately, threat actors operating under the ClickFake Interview moniker have used fake assessment websites resembling camera or microphone troubleshooting guides to distribute malware known as GolangGhost (also called FlexibleFerret or WeaselStore). This malware, written in Go, contacts a fixed C2 server to gather system data, upload and download files, execute commands, and extract information from Google Chrome. It achieves persistence by installing a macOS LaunchAgent that runs a shell script at user login.
The attack chain also includes a decoy app displaying a fake Chrome camera access prompt, followed by a Chrome-style password prompt to capture and send passwords to a Dropbox account. As stated by Validin, this campaign targets individuals through fraudulent hiring processes, including fake coding exercises and recruitment platforms, differentiating it from other North Korean schemes that embed agents in legitimate businesses. More information on this is available here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Strategy (MSTR) Again Rejected from S&P 500, SanDisk Chosen Instead
- CME Halts Trading 10 Hours Over Data Center Cooling Issue
- Legacy Python Package Vulnerabilities Risk Supply Chain Attacks via Domain Takeover
- BMNR Soars 8% as Firm Buys $44M ETH, Retail Mood ‘Bullish’
- Monero Surges 23% While Zcash Drops Amid Volatile Privacy Coins
