Ongoing Expansion of the Malware Campaign
North Korean hackers continue to expand their attacks through the npm ecosystem. Therefore, many researchers warn that the threat is growing fast. The attackers have released 197 additional malicious packages tied to the Contagious Interview operation.
These packages have already been downloaded more than 31,000 times. They deliver an updated version of OtterCookie that combines earlier features with capabilities from BeaverTail. However, the loaders appear under names that seem harmless and familiar to developers.
Malicious Packages and Their Operation
Several of the deceptive packages include terms related to common developer tools. For example, names such as “bcryptjs-node,” “node-tailwind,” and “session-keeper” appear designed to trick unsuspecting users. These names imitate legitimate utilities and therefore increase the likelihood of installation.
Once executed, the malware checks whether the machine runs inside a sandbox. It then profiles the system and opens a command channel. As a result, attackers gain a remote shell and can steal keystrokes, screenshots, wallet data, documents, and browser credentials.
Infrastructure and Payload Delivery
Researchers determined that each malicious package connects to a hard-coded server. This server redirects the request to a cross-platform payload stored in a separate repository. However, the original hosting account is no longer available.
The campaign demonstrates significant evolution. One expert noted that the attackers have adapted well to modern development workflows. Therefore, the malicious packages blend into JavaScript and crypto-related environments with little suspicion.
Related ClickFake Interview Activity
Hackers also use fake assessment websites to deliver a different malware strain. For example, they distribute a Go-based tool called GolangGhost by pretending to fix camera or microphone issues. The malware contacts a fixed server and enters a continuous loop to run commands and steal Chrome data.
The infection chain includes a decoy application that mimics a Chrome permission window. Then it displays a fake password request. Consequently, the victims unknowingly send sensitive data to a remote storage account.
Researchers highlight that this operation differs from other known schemes. Traditional attacks often involve infiltrating businesses with false worker identities. However, this campaign weaponizes the hiring process itself by using fraudulent interviews and coding tasks.
How to Prevent These Attacks
Users should avoid running code from unknown sources, even when it appears professional. They should also verify all npm packages before installation and monitor device behavior for unusual activity. Security services that offer real-time threat detection and continuous monitoring can help block disguised scripts, detect hidden payloads, and prevent unauthorized system access.
Sleep well, we got you covered.
