Hacking

Nearly 200 Malicious npm Packages Linked to North Korean Hackers

Published  ·  3 min read

North Korea’s malware operation targeting developers hasn’t slowed down. In fact, it’s grown noticeably louder. Security researchers have confirmed that the group behind the “Contagious Interview” scheme has pushed almost two hundred additional malicious packages to the npm registry within the past month. The speed alone is remarkable, even for a DPRK-linked campaign.

Socket, which has been tracking the activity, found that these packages have already been downloaded more than 31,000 times. They aren't simple placeholders or decoys. Each one is designed to deploy a fresh variant of OtterCookie, a malware strain that has gradually absorbed features from BeaverTail and older OtterCookie versions.

A handful of the identified loader packages include:
1. bcryptjs-node
2. cross-sessions
3. json-oauth
4. node-tailwind
5. react-adparser
6. session-keeper
7. tailwind-magic
8. tailwindcss-forms
9. webpack-loadcss

Once executed, the malware works through a predictable but effective routine: check whether it’s running inside a sandbox, gather machine details, and open a command channel back to the operators. From that point, the attackers have a toolkit at their disposal remote shell access, keystroke logging, clipboard scraping, screenshot capture, and broad credential collection. Cryptocurrency data sits high on the list of targeted items.

One detail that stood out to researchers was the use of a hard-coded Vercel URL, which acts as a pivot to pull the actual OtterCookie payload from a GitHub repository. The GitHub account tied to the activity has been removed, though the packages remain active in the registry.

Cisco Talos previously highlighted how the lines between OtterCookie and BeaverTail have blurred, noting a case in Sri Lanka where a victim unknowingly ran a malicious Node.js file distributed as part of a fake job interview. This campaign appears to be an extension of that same tactic.

Kirill Boychenko from Socket described the campaign’s pace as unusually aggressive, especially for an ecosystem as widely used as npm.

A Second Track: “ClickFake Interview”
Another cluster separate but operating in a similar space has also been active. This one revolves around fake assessment sites that trick users into downloading malware under the pretext of fixing camera or microphone issues. The payload in this case is GolangGhost, also known as FlexibleFerret or WeaselStore.
GolangGhost runs a persistent loop to receive commands from a remote server. It can upload and download files, execute system commands, and collect browser information. On macOS, it maintains persistence through a LaunchAgent. To keep the deception intact, the attackers use a decoy app that imitates Chrome permission prompts and login dialogs. Whatever the user types into these screens gets siphoned directly to a Dropbox account.

A Different Kind of Job Scam
While North Korean IT-worker infiltration schemes typically focus on getting operatives hired into real companies, Contagious Interview and its related campaigns operate in a different lane. Here, the target is the job applicant. The attackers weaponize the hiring process itself coding tests, interview tools, fake assessment platforms and use them as a delivery system.

It’s a simple idea, and that’s why it works. Developers trust workflows that appear to be part of a hiring pipeline. The attackers are counting on that trust.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067