Executive Summary

North Korean state-sponsored threat actors, specifically those associated with the Contagious Interview campaign, have executed a sophisticated supply chain attack by publishing 197 malicious packages to the npm registry. These packages are engineered to deliver an updated variant of the OtterCookie malware, which incorporates advanced features from both the original OtterCookie and the BeaverTail malware strains. The campaign leverages a combination of social engineering, fake job interviews, and weaponized open-source developer workflows to compromise targets, exfiltrate credentials, and harvest sensitive data. The scale and technical sophistication of this operation, with over 31,000 downloads of the malicious packages, underscore the critical risk to organizations relying on open-source JavaScript and Node.js ecosystems. This advisory provides a comprehensive technical analysis, threat actor profiling, exploitation details, and actionable mitigation strategies to help organizations defend against this evolving threat.

Threat Actor Profile

The campaign is attributed to North Korean state-sponsored actors, specifically the group behind the Contagious Interview operation. This group is known for targeting software developers and IT professionals globally, often masquerading as legitimate recruiters or employers. Their tactics include staging elaborate fake job interviews and technical assessments, during which victims are manipulated into installing malicious code under the guise of coding challenges or required tools. The group’s activities are closely linked to broader DPRK IT worker schemes, which aim to infiltrate organizations, steal intellectual property, and generate revenue for the North Korean regime. The actors demonstrate a high degree of operational security, regularly rotating infrastructure and leveraging legitimate cloud services such as Vercel, GitHub, and Dropbox for command-and-control (C2) and data exfiltration. Their technical proficiency is evident in their ability to evade detection, persist on compromised systems, and adapt their malware to target both Windows and macOS environments.

Technical Analysis of Malware/TTPs

The attack chain begins with the publication of 197 malicious packages to the npm registry. These packages are crafted to appear as legitimate JavaScript or Node.js libraries, often mimicking popular open-source modules. Notable package names include bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. Once installed, these packages act as loaders, initiating a multi-stage infection process.

The initial payload establishes a remote shell by connecting to a hard-coded Vercel URL (tetrismic.vercel[.]app). This shell is used to fetch the main OtterCookie malware from a now-removed GitHub account (stardev0914). The updated OtterCookie variant exhibits several advanced capabilities, including sandbox and virtual machine evasion, comprehensive system profiling, and robust C2 communication. It is capable of harvesting clipboard contents, logging keystrokes, capturing screenshots, extracting browser credentials, collecting documents, and targeting cryptocurrency wallet data and seed phrases.

Persistence is achieved through platform-specific mechanisms. On macOS, the malware leverages LaunchAgent and shell scripts to ensure it remains active across reboots. Additional payloads, such as GolangGhost (also known as FlexibleFerret or WeaselStore), are distributed via fake assessment-themed websites. These payloads are written in Go, maintain persistence via LaunchAgent, and are capable of uploading and downloading files, executing arbitrary OS commands, and harvesting Chrome browser data. A particularly insidious feature is the use of decoy Chrome prompts to phish for credentials, which are then exfiltrated to Dropbox.

The campaign’s tactics, techniques, and procedures (TTPs) align with several MITRE ATT&CK techniques, including supply chain compromise, command and scripting interpreter execution, boot or logon autostart execution, credential access from password stores, screen capture, keylogging, and exfiltration over web services. The actors’ use of legitimate cloud infrastructure for C2 and exfiltration complicates detection and response efforts.

Exploitation in the Wild

The campaign has achieved significant reach, with over 31,000 downloads of the malicious npm packages reported by Socket. At least one confirmed infection has occurred at an organization headquartered in Sri Lanka, as documented by Cisco Talos. The attackers’ use of social engineering, particularly through fake job interviews and coding assessments, has enabled them to target a global pool of developers and IT professionals. The campaign remains active, with new packages and infrastructure being deployed regularly. The use of open-source ecosystems as an attack vector highlights the growing risk of supply chain attacks and the need for heightened vigilance among organizations that rely on third-party code.

Victimology and Targeting

The primary targets of this campaign are software developers, IT professionals, and organizations involved in JavaScript and Node.js development. Sectors at elevated risk include software development firms, cryptocurrency companies, and any organization that employs developers or conducts technical interviews. The campaign’s global reach is facilitated by the widespread use of npm and the open-source model, which allows attackers to distribute malicious code to a broad audience with minimal barriers. The use of social engineering tactics, such as fake job offers and technical assessments, enables the attackers to bypass traditional security controls and directly target individuals with elevated access and privileges. The confirmed victim in Sri Lanka suggests that the campaign is not geographically limited and that organizations worldwide should consider themselves at risk.

Mitigation and Countermeasures

Organizations should implement a multi-layered defense strategy to mitigate the risk posed by this campaign. First, restrict the installation of npm packages to trusted sources and maintain an allowlist of approved modules. Regularly audit dependencies for known malicious package names and monitor for suspicious activity related to C2 domains such as tetrismic.vercel[.]app and associated GitHub and Dropbox accounts. Educate developers and IT staff about the risks of social engineering, particularly in the context of job offers and coding assessments. Encourage the use of sandboxed environments for evaluating third-party code and implement robust endpoint detection and response (EDR) solutions capable of identifying keylogging, clipboard access, and unauthorized persistence mechanisms such as LaunchAgent on macOS. Network monitoring should be configured to detect anomalous connections to cloud services commonly abused for C2 and exfiltration. Finally, establish an incident response plan that includes procedures for supply chain attack scenarios and ensure that all staff are aware of reporting protocols for suspicious activity.

References

The following sources provide additional technical details and context for this campaign:

The Hacker News: North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware (https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html)

Socket Research on npm Supply Chain Attacks (https://socket.dev/blog/north-korean-hackers-npm-ottercookie)

SecurityAffairs: Contagious Interview campaign expands with 197 npm Packages (https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html)

MITRE ATT&CK Techniques (https://attack.mitre.org/)

Cisco Talos: North Korean Threat Activity (https://blog.talosintelligence.com/)

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to identify, assess, and mitigate cyber risks across their supply chains. Our platform leverages cutting-edge threat intelligence, automation, and continuous monitoring to help organizations stay ahead of emerging threats and maintain robust security postures. For more information about how Rescana can help protect your organization from supply chain and third-party risks, or to discuss any aspect of this advisory, we are happy to answer questions at ops@rescana.com.