The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month.
According to Socket, these packages have been downloaded over 31,000 times, and are designed to deliver a variant of OtterCookie that brings together the features of BeaverTail and prior versions of OtterCookie.
Some of the identified “loader” packages are listed below –
- bcryptjs-node
- cross-sessions
- json-oauth
- node-tailwind
- react-adparser
- session-keeper
- tailwind-magic
- tailwindcss-forms
- webpack-loadcss
The malware, once launched, attempts to evade sandboxes and virtual machines, profiles the machine, and then establishes a command-and-control (C2) channel to provide the attackers with a remote shell, along with capabilities to steal clipboard contents, log keystrokes, capture screenshots, and gather browser credentials, documents, cryptocurrency wallet data, and seed phrases.
It’s worth noting that the blurring distinction between OtterCookie and BeaverTail was documented by Cisco Talos last month in connection with an infection that impacted a system associated with an organization headquartered in Sri Lanka after a user was likely deceived into running a Node.js application as part of a fake job interview process.
Further analysis has determined that the packages are designed to connect to a hard-coded Vercel URL (“tetrismic.vercel[.]app”), which then proceeds to fetch the cross-platform OtterCookie payload from a threat actor-controlled GitHub repository. The GitHub account that serves as the delivery vehicle, stardev0914, is no longer accessible.
“This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows,” security researcher Kirill Boychenko said.
The development comes as fake assessment-themed websites created by the threat actors have leveraged ClickFix-style instructions to deliver malware referred to as GolangGhost (aka FlexibleFerret or WeaselStore) under the pretext of fixing camera or microphone issues. The activity is tracked under the moniker ClickFake Interview.
Written in Go, the malware contacts a hard-coded C2 server and enters into a persistent command-processing loop to collect system information, upload/download files, run operating system commands, and harvest information from Google Chrome. Persistence is achieved by writing a macOS LaunchAgent that triggers its execution by means of a shell script automatically upon user login.
Also installed as part of the attack chain is a decoy application that displays a bogus Chrome camera access prompt to keep up the ruse. Subsequently, it presents a Chrome-style password prompt that captures the content entered by the user and sends it to a Dropbox account.
“Although there is some overlap, this campaign is distinct from other DPRK IT Worker schemes that focus on embedding actors within legitimate businesses under false identities,” Validin said. “Contagious Interview, by contrast, is designed to compromise individuals through staged recruiting pipelines, malicious coding exercises, and fraudulent hiring platforms, weaponizing the job application process itself.”
